CVE-2026-2888

Name of the Vulnerable Software and Affected Versions Formidable Forms plugin for WordPress versions up to and including 6.28

Description The Formidable Forms plugin for WordPress is susceptible to an authorization bypass due to a user-controlled key. This occurs because the frm strp amount AJAX handler, also known as update intent ajax, overwrites global $ POST data with attacker-controlled JSON input. This input is then used to recalculate payment amounts through field shortcode resolution in the generate false entry() function. The handler uses a nonce, exposed in the page’s JavaScript (frm stripe vars.nonce), which provides CSRF protection but does not enforce authorization. This allows unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms utilizing dynamic pricing with field shortcodes, potentially resulting in reduced payment amounts for goods or services.

Recommendations Versions up to and including 6.28 should be updated to a newer, fixed version when available. As a temporary workaround, consider disabling the frm strp amount AJAX handler (update intent ajax) until a patch is available. Restrict access to the generate false entry() function to authorized users only.