Formidable Forms < 6.29 – Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse | CVE 2026-2890 | Plugin Vulnerabilities

Description

The plugin is vulnerable to a payment integrity bypass due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.

Affects Plugins

Fixed in 6.29

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb4bc5a-9469-4733-acf3-d2dda5edb7af

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Andres Cruciani

Verified

No

WPVDB ID

b405bf0e-b253-445e-9c4d-67b7b871cb79

Timeline

Publicly Published

2026-03-12 (about 2 months ago)

Added

2026-03-13 (about 2 months ago)

Last Updated

2026-05-11 (about 2 days ago)

Other

Published

Title

Published

2026-02-23

Title

WBW Currency Switcher for WooCommerce < 2.2.6 - Missing Authorization

Published

2025-08-26

Title

Zephyr Project Manager < 3.3.202 - Missing Authorization

Published

2023-11-14

Title

Essential Grid < 3.0.19 - Missing Authorization

Published

2025-11-17

Title

Multiple Roles per User <= 1.0 - Missing Authorization to Authenticated (Custom+) Privilege Escalation

Published

2023-08-09

Title

User Activity Log < 1.6.6 - Subscriber+ Log Export