Attack Vectors

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder (slug: formidable) has a High-severity vulnerability (CVSS 7.5) tracked as CVE-2026-2890. The issue can be exploited without authentication, meaning an external attacker does not need a user account to attempt abuse over the internet.

The risk is most relevant to organizations using Formidable Forms for any workflow that relies on successful payment confirmation (for example: paid registrations, deposits, donations, gated downloads, event tickets, or service bookings). An attacker may be able to make a payment appear “complete” in the site’s records by reusing a Stripe PaymentIntent in a way that bypasses expected payment integrity checks.

Security Weakness

The vulnerability affects Formidable Forms versions up to and including 6.28. According to the published details, the Stripe Link return handler (handle_one_time_stripe_link_return_url) can mark payment records as complete based only on the Stripe PaymentIntent status, without comparing the amount actually charged to the amount the site expects.

In addition, the verify_intent() logic is described as validating only client secret ownership without binding the PaymentIntent to a specific form or action. Together, these weaknesses can enable an unauthenticated payment integrity bypass via PaymentIntent reuse, allowing “paid” status to be recorded without the intended payment conditions being met.

Remediation: Update Formidable Forms to 6.29 or newer (patched). Source: Wordfence vulnerability advisory.

Technical or Business Impacts

Revenue loss and fraud: If payment completion can be recorded without enforcing the expected amount, attackers may obtain paid goods or services for less than intended, or potentially without a valid payment outcome matching your pricing rules.

Operational disruption: Teams may waste time fulfilling orders, provisioning access, or confirming registrations that appear legitimately paid in WordPress records but do not align with actual revenue collected.

Reporting and reconciliation issues: When website payment records are inconsistent with Stripe settlement data, finance teams face increased reconciliation effort, delayed close processes, and higher risk of unnoticed leakage.

Compliance and customer trust: Payment-related integrity issues can trigger internal audit findings, require incident response, and undermine confidence in online transaction workflows—especially for regulated or highly scrutinized organizations.

Similar Attacks

While this issue is specific to payment integrity validation in a WordPress plugin, payment-flow abuse and checkout manipulation are common themes in real-world incidents, including:

British Airways (Magecart) payment card theft (BBC) — attackers targeted online payment pages to steal card data during checkout.

Ticketmaster breach linked to third-party script (BBC) — a compromised supplier script impacted payment information security during online transactions.