Formidable Forms Vulnerability Let Attackers Reuse Low-Value Stripe Payments for Higher-Cost Purchases

A high-severity vulnerability in the Formidable Forms WordPress plugin could let unauthenticated attackers bypass payment checks and complete higher-value purchases using a Stripe payment originally made for a lower amount. The issue affects Formidable Forms versions up to and including 6.28 on WordPress sites that use the plugin for payment forms, according to the details provided in the disclosure.

The flaw has been assigned CVE-2026-2890 and given a CVSS score of 7.5, placing it in the high-severity range. While the vulnerability does not provide remote code execution or direct access to the server, it affects payment integrity in a way that could expose merchants to financial loss.

Payment Verification Weakness

Formidable Forms is a drag-and-drop WordPress form builder used to create contact forms, surveys, registration workflows, and payment forms. Many sites use it alongside payment processors such as Stripe and PayPal to sell digital products, manage memberships, collect service fees, or process event registrations.

According to the disclosure, the vulnerability stems from incomplete validation in the plugin's Stripe payment flow. Specifically, the handle_one_time_stripe_link_return_url function is said to mark a payment as complete based on the status of a Stripe PaymentIntent, without confirming that the amount paid matches the amount expected for the specific transaction.

That design creates a gap in the payment flow. An attacker could make a legitimate payment for a cheaper item, then reuse the resulting PaymentIntent in a separate purchase flow for a more expensive item. If the plugin checks only whether the PaymentIntent has completed successfully, rather than whether it corresponds to the correct amount and form submission, the higher-value transaction could be incorrectly marked as paid.

No Authentication Required

One of the more significant aspects of the issue is that it does not require an authenticated account. According to the supplied description, an attacker does not need to log in or obtain subscriber-level access to exploit the flaw.

That lowers the barrier to exploitation. In practice, any internet-facing WordPress site running an affected version of the plugin and accepting Stripe-based payments through Formidable Forms could be exposed if the vulnerable payment path is enabled.

The issue is best understood as a business logic flaw rather than a server-side compromise. Attackers are not described as gaining administrative control, executing code, or accessing sensitive server functions. Instead, the weakness appears to allow manipulation of how the plugin interprets completed payments.

How the Flaw Works

The disclosed behavior centers on how Formidable Forms validates Stripe PaymentIntents after a payment attempt.

According to the provided technical description, the verify_intent() function checks only that the client secret belongs to the user. It does not appear to bind that PaymentIntent to a specific form submission or purchase action. It also does not verify that the amount charged matches the amount the customer was expected to pay.

That combination is what makes the flaw consequential. A completed PaymentIntent for a low-cost purchase may still appear valid when reused in another payment context, even if the second transaction is for a larger amount.

Wordfence described the issue as a payment integrity bypass affecting all versions up to and including 6.28. In its summary, the security firm said the plugin marked payment records as complete based on PaymentIntent status without comparing the charged amount to the expected payment amount, and without adequately binding intents to particular forms or actions.

In practical terms, that means a successful low-value Stripe transaction could potentially be used to satisfy the plugin's checks for a separate, more expensive purchase.

Business impact for site operators

For affected site owners, the primary risk is revenue loss rather than full site compromise. If exploited, the flaw could allow attackers to obtain paid access, services, registrations, or digital goods without paying the required amount.

The impact depends on how a site uses Formidable Forms. Sites selling downloadable products, paid bookings, subscriptions, or event access through Stripe-connected forms may face direct financial exposure if an attacker can repeatedly bypass the intended charge amount.

Because the issue is unauthenticated, site operators cannot rely on account restrictions alone to reduce risk. The relevant control is the plugin version and whether the payment validation logic has been updated.

Affected versions and patch

According to the disclosure, all Formidable Forms versions up to and including 6.28 are affected.

Users are being urged to update to version 6.29 or later, which is described as the patched release intended to address the payment validation weakness. For administrators running the plugin in production payment flows, the update should be treated as a priority because the flaw affects transaction verification rather than a rarely used administrative feature.

This case is another example of how application-level payment logic can create security problems even when the underlying payment processor remains intact. In these situations, the weakness is not in Stripe itself, but in how the surrounding application checks and records payment status.