CVE-2026-2890

Name of the Vulnerable Software and Affected Versions Formidable Forms plugin for WordPress versions up to and including 6.28

Description The Formidable Forms plugin for WordPress is susceptible to a payment integrity issue. This occurs because the Stripe Link return handler, handle one time stripe link return url, confirms payment completion based only on the Stripe PaymentIntent status, without verifying the charged amount against the expected payment. Additionally, the verify intent() function only checks client secret ownership, failing to link intents to specific forms or actions. This allows unauthenticated attackers to potentially reuse a PaymentIntent from a completed low-value payment to falsely mark a high-value payment as complete, bypassing payment for goods or services.

Recommendations Update Formidable Forms plugin to a version beyond 6.28.