Formidable Forms Flaw Lets Attackers Pay Less For Expensive Purchases

A vulnerability within the Formidable Types WordPress plugin put in on over 300,000 web sites allows unauthenticated attackers to bypass fee verification. The vulnerability impacts all variations as much as and together with 6.28. It makes it attainable for attackers to reuse a Stripe fee made for a decrease quantity to mark a dearer transaction as paid.

Formidable Types Plugin

The Formidable Types plugin is a drag-and-drop type builder utilized by WordPress websites to create contact kinds, surveys, registration kinds, and fee kinds. Websites use it with fee processors (like PayPal and Stripe) to gather funds for companies, memberships, digital merchandise, and occasion registrations.

Susceptible To Unauthenticated Attackers

What makes this vulnerability particularly regarding is that it doesn’t require authentication. An attacker doesn’t must log in or acquire even subscriber-level entry to take advantage of the flaw. This makes it simpler for attackers to reap the benefits of the fee validation weak spot.

The vulnerability has been assigned CVE-2026-2890 and carries a CVSS severity rating of seven.5/10, which is rated Excessive.

Cost Integrity Bypass

The vulnerability is because of lacking validation within the handle_one_time_stripe_link_return_url perform. The perform marks fee data as full based mostly solely on the Stripe PaymentIntent standing. This makes it attainable for attackers to reuse a legitimate PaymentIntent for a smaller cost to approve a dearer buy.

The verify_intent() perform validates solely that the shopper secret belongs to the person. It doesn’t bind the PaymentIntent to a particular type submission. It doesn’t confirm that the quantity charged matches the quantity the shopper was alleged to pay.

Based on Wordfence:

“The Formidable Types plugin for WordPress is weak to a fee integrity bypass in all variations as much as, and together with, 6.28. That is because of the Stripe Hyperlink return handler (`handle_one_time_stripe_link_return_url`) marking fee data as full based mostly solely on the Stripe PaymentIntent standing with out evaluating the intent’s charged quantity towards the anticipated fee quantity, and the `verify_intent()` perform validating solely shopper secret possession with out binding intents to particular kinds or actions.

This makes it attainable for unauthenticated attackers to reuse a PaymentIntent from a accomplished low-value fee to mark a high-value fee as full, successfully bypassing fee for items or companies.”

This makes it attainable for unauthenticated attackers to finish a small low-cost transaction after which reuse that PaymentIntent to approve a dearer transaction with out paying the complete value.

This vulnerability doesn’t allow distant code execution or direct server compromise. But it surely does allow attackers to acquire items or companies with out paying the required value.

Affected Variations And Patch

All variations as much as and together with 6.28 are affected. Customers of the Formidable Types plugin are inspired by Wordfence to replace to model 6.29 or newer to deal with the vulnerability.