CVE-2026-2890
Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
| CWE | CWE-862 |
| Vendor | strategy11team |
| Product | formidable forms – contact form plugin, survey, quiz, payment, calculator form & custom form builder |
| Published | Mar 13, 2026 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for strategy11team formidable forms – contact form plugin, survey, quiz, payment, calculator form & custom form builder
Be the first to know when new high vulnerabilities affecting strategy11team formidable forms – contact form plugin, survey, quiz, payment, calculator form & custom form builder are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N