Andres Cruciani

**Name of the Vulnerable Software and Affected Versions** Formidable Forms plugin for WordPress versions up to and including 6.28 **Description** The Formidable Forms plugin for WordPress is susceptible to a payment integrity issue. This occurs because the Stripe Link return handler, `handle one time stripe link return url`, confirms payment completion based only on the Stripe PaymentIntent status, without verifying the charged amount against the expected payment. Additionally, the `verify intent()` function only checks client secret ownership, failing to link intents to specific forms or actions. This allows unauthenticated attackers to potentially reuse a PaymentIntent from a completed low-value payment to falsely mark a high-value payment as complete, bypassing payment for goods or services. **Recommendations** Update Formidable Forms plugin to a version beyond 6.28.