According to Roger Montti’s article on Search Engine Journal, “Formidable Forms Flaw Lets Attackers Pay Less For Expensive Purchases,” a high-severity vulnerability has been discovered in the Formidable Forms WordPress plugin, affecting over 300,000 websites.
Vulnerability Summary
Montti reports that the flaw allows unauthenticated attackers to bypass payment verification, enabling them to pay a small amount and have a more expensive transaction marked as fully paid. The vulnerability is rated 7.5 (High) and has been assigned CVE-2026-2890.
Root Cause: Inadequate Payment Validation
The issue results from insufficient validation in the plugin’s Stripe payment processing. Specifically:
- The plugin marks payments as complete based only on the Stripe PaymentIntent status.
- It does not verify that the amount paid matches the expected transaction amount.
- It also fails to bind the payment intent to a specific form submission.
These gaps allow users to retrieve a valid PaymentIntent from a low-cost transaction to falsely confirm a higher-value purchase.
Business Impact
Montti notes that although the vulnerability does not permit server compromise or code execution, it poses a significant financial risk. Attackers can:
- Pay a minimal amount.
- Reuse that payment confirmation.
- Receive goods or services without paying full price.
This effectively enables payment fraud via logic bypass, which can significantly impact businesses that rely on the plugin for transactions.
Affected Versions and Remediation
All versions up to and including 6.28 are affected. The issue is resolved in version 6.29.
Recommended Actions
Site owners using Formidable Forms should update to version 6.29 or later immediately. Montti’s report emphasizes that even without system-level compromise, payment logic flaws can result in significant financial losses, making prompt updates essential.