CVE-2026-2890
Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent ReuseThe Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
We have discovered 59,936 live websites that are affected by CVE-2026-2890.
Affected Software
| Product |  Formidable Forms |
| Category | Wordpress Plugins |
| Vulnerable Domains | 59,936 live websites (87% of Formidable Forms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 237 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Mar 13, 2026
- Updated - Apr 8, 2026
Credits
- Andrés Cruciani (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-2890 United States | 27,583 websites |
 GB | 4,150 websites |
 Germany | 4,143 websites |
 France | 3,852 websites |
 Canada | 2,514 websites |
 Netherlands | 2,510 websites |
 Australia | 1,699 websites |
 Italy | 1,342 websites |
 Switzerland | 1,242 websites |
 South Africa | 1,017 websites |
Website Distribution by TLD
Number of websites using CVE-2026-2890| .com | 29,841 websites |
| .org | 3,980 websites |
| .co.uk | 2,846 websites |
| .de | 2,462 websites |
| .nl | 2,426 websites |
| .fr | 1,865 websites |
| .com.au | 1,607 websites |
| .ca | 1,448 websites |
| .net | 1,206 websites |
| .ch | 1,047 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-2890
Top websites that are affected by CVE-2026-2890. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | United States | *** | |
| **************.com | Canada | *,*** | |
| ********.com | United States | *,*** | |
| ************.**.**.uk | GB | **,*** | |
| **************.com | United States | **,*** | |
| **********.me | United States | **,*** | |
| ************.uk | GB | **,*** | |
| ***********.com | United States | **,*** | |
| *******.org | United States | **,*** | |
| **********.com | Netherlands | **,*** |
FAQ
CVE-2026-2890 is Missing Authorization in Formidable Forms
A total of 59,936 websites have been identified as vulnerable to CVE-2026-2890, based on global website indexing conducted by WebTechSurvey.
The Formidable Forms is affected by the CVE-2026-2890 vulnerability.
Formidable Forms versions up to and including 6.28 are vulnerable to CVE-2026-2890.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb4bc5a-9469-4733-acf3-d2dda5edb7af?source=cve
- https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L429
- https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L79
- https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L92