Key Takeaways
- A Formidable Forms vulnerability exists in a popular WordPress plugin used on over 300,000 sites.
- The flaw allows attackers to manipulate payment validation, enabling them to pay less than the required amount for purchases.
- Attackers can exploit this vulnerability without needing to authenticate, increasing risks for websites accepting payments.
- A patch for the Formidable Forms vulnerability has been released in version 6.29, and users should update immediately to mitigate risks.
Formidable Forms Vulnerability Discovered in WordPress Plugin
A Formidable Forms vulnerability has been discovered in a widely used WordPress plugin. The plugin is installed on more than 300,000 websites. It is used to create online forms for payments, registrations, surveys, and contact submissions. Many websites connect the plugin to payment systems such as Stripe and PayPal.
Security researchers identified a flaw that can allow attackers to pay less than the required purchase amount. The vulnerability affects versions of the plugin up to Formidable Forms 6.28. The issue was assigned the identifier CVE-2026-2890. Security experts rated the Formidable Forms vulnerability with a CVSS score of 7.5, which indicates a high-severity security risk.
How the Formidable Forms Vulnerability Works
The Formidable Forms vulnerability involves improper payment validation. Attackers can manipulate how the system verifies payment transactions. The exploit targets the plugin’s Stripe payment integration.
An attacker first completes a low-value payment using a form built with the plugin. The transaction generates a Stripe PaymentIntent. The attacker then captures that PaymentIntent value. After that, the attacker submits another form that requires a higher payment.
The plugin checks if the PaymentIntent exists and whether the payment was successful. However, it does not verify whether the payment amount matches the price of the second transaction. Because of this missing validation step, the system may mark a higher-value purchase as fully paid even if only a small payment was made.
Security Risks of the Formidable Forms Vulnerability
The Formidable Forms vulnerability can be exploited without authentication. Attackers do not need to log in to the website. They only need access to a payment form created with the plugin.
This increases the risk for websites that sell services, digital products, or event tickets through online forms. A successful attack could allow purchases to be completed at a much lower cost than intended.
Patch Released to Fix the Formidable Forms Vulnerability
The developers have released a security update that fixes the Formidable Forms vulnerability. The issue was patched in Formidable Forms version 6.29.
Website administrators are advised to update the plugin immediately. Updating removes the payment verification flaw and protects payment forms from this exploit.
