Formidable Forms Bug Lets Hackers Pay Less

A serious security vulnerability has been discovered in the Formidable Forms WordPress plugin, allowing unauthenticated attackers to complete low-cost transactions and then reuse them to approve higher-value purchases without paying the full amount. The flaw affects all versions up to and including 6.28 and could potentially put hundreds of thousands of websites at risk.

What is Formidable Forms?

Formidable Forms is one of the most popular drag-and-drop form builders for WordPress, installed on over 300,000 websites. The plugin enables users to create contact forms, surveys, registration forms, membership forms, and payment forms. Many websites rely on Formidable Forms to process payments for products, digital downloads, memberships, and events via popular payment processors such as Stripe and PayPal.

How the Vulnerability Works

The security issue is caused by insufficient validation in the plugin’s payment handling system. Specifically, the handle_one_time_stripe_link_return_url function marks a payment as complete based solely on the Stripe PaymentIntent status. Attackers can exploit this by using a PaymentIntent from a smaller, legitimate transaction to approve a more expensive purchase.

The verify_intent() function also contributes to the problem. It only verifies that the client secret belongs to a user, without ensuring that the PaymentIntent corresponds to a specific form submission or that the charged amount matches the intended payment. This means an attacker does not need any login credentials or special access to take advantage of the flaw.

Severity and Identification

The vulnerability has been assigned CVE-2026-2890 and carries a high severity rating of 7.5/10 (CVSS). While it does not allow attackers to execute remote code or compromise a server directly, it enables them to obtain goods or services without paying the correct price, which could result in financial losses for website owners.

Sites at Risk

All websites using Formidable Forms versions 6.28 or earlier are affected. Given the plugin’s popularity, this flaw could potentially impact thousands of businesses and organisations that depend on it for secure payment processing.

Recommended Action

Website owners and administrators are urged to update Formidable Forms to version 6.29 or later immediately. This update fixes the payment verification loophole and ensures that high-value transactions are correctly validated.

Key Takeaways

The Formidable Forms vulnerability allows unauthenticated attackers to bypass payment verification.
It affects all versions up to and including 6.28.
The flaw is related to the Stripe PaymentIntent handling and improper verification of the payment amount.
Updating to version 6.29 or newer is essential to protect your website and customers.

Formidable Forms is widely used for WordPress payments, making it critical that site owners take immediate action. Failing to apply the update could leave websites exposed to financial abuse, undermining customer trust and potentially leading to significant losses.