Attack Vectors

CVE-2026-2888 is a Medium-severity issue (CVSS 5.3) affecting the Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin (slug: formidable) in versions 6.28 and below.

An attacker can target websites that use Formidable Forms for Stripe-based payments by sending requests to the plugin’s AJAX payment flow and manipulating the item_meta parameter to influence how the payment amount is recalculated. Because no login is required, this can be attempted remotely over the internet against publicly accessible pages where the payment form is available.

More details and references are available in the official record: https://www.cve.org/CVERecord?id=CVE-2026-2888.

Security Weakness

The core weakness is an authorization bypass in the plugin’s Stripe amount update logic. The AJAX handler (frm_strp_amount / update_intent_ajax) can overwrite global POST data using attacker-controlled JSON input, and then uses those values to recalculate payment amounts through shortcode/field resolution.

While the request is protected by a nonce, the nonce is publicly exposed in the page’s JavaScript (referenced as frm_stripe_vars.nonce). This means it may help reduce cross-site request forgery (CSRF), but it does not provide true authorization or ensure the requester is allowed to set or influence the payment amount.

Remediation: Update Formidable Forms to version 6.29 (or newer patched versions) to address this issue, and review any payment forms for unexpected pricing logic or reliance on client-controlled values.

Technical or Business Impacts

The primary business risk is payment amount manipulation. If exploited, an attacker may be able to reduce (or otherwise alter) the amount charged compared to what your business intended, potentially leading to direct revenue loss, fulfillment of underpaid orders, and billing disputes.

For marketing and growth teams, this can also undermine promotional integrity (e.g., paid event registrations, donations, deposits, subscriptions, or lead-to-sale offers) by allowing unauthorized price changes outside approved campaigns or pricing rules.

For finance and compliance stakeholders, the downstream impact can include reconciliation issues, chargeback handling overhead, and audit concerns where transaction amounts do not match expected product/service pricing. Even if each incident is small, repeated abuse can compound losses and erode trust.

Similar Attacks

Attackers frequently target online payment and checkout workflows because even small weaknesses can translate into measurable financial outcomes. While the techniques may differ from CVE-2026-2888, the business objective—compromising payment-related processes—is similar.

Examples of real-world payment-focused web attacks include:

British Airways “Magecart” payment-page compromise (BBC)
Ticketmaster payment-page compromise linked to Magecart-style tactics (BBC)
Newegg credit card skimming incident (KrebsOnSecurity)