Etavrian
keyboard_arrow_right Created with Sketch.
News
keyboard_arrow_right Created with Sketch.
How a single plugin bug let attackers fake Stripe payments on 300,000 WordPress sites

How a single plugin bug let attackers fake Stripe payments on 300,000 WordPress sites

Author:
Etavrian AI
Reviewed:
Andrii Daniv
2
min read
Mar 13, 2026
Minimalist illustration of Stripe payment success badge cracking to reveal fake payments and fraud

A vulnerability in the Formidable Forms WordPress plugin, disclosed by Wordfence, allows unauthenticated attackers to misreport Stripe payments on affected sites.

The flaw, tracked as CVE-2026-2890, impacts Formidable Forms versions up to and including 6.28. Wordfence reports that a fix is available in version 6.29 and later.

Formidable Forms Flaw Lets Attackers Pay Less For Expensive Purchases
Formidable Forms vulnerability affects Stripe payment handling on WordPress sites.

Key Details

Formidable Forms is a drag-and-drop form builder used on more than 300,000 WordPress sites, according to its plugin listing. Site owners use it to create contact, registration, survey, and payment forms that integrate with gateways such as Stripe and PayPal.

  • Wordfence identifies the issue as a payment integrity bypass affecting Stripe Link one-time payment handling.
  • The flaw allows reuse of a valid Stripe PaymentIntent from a low-value payment to mark a higher-value payment as complete.
  • Attackers do not need an account on the target site, since the vulnerable process is accessible without authentication.
  • According to Wordfence, the handle_one_time_stripe_link_return_url function marks payments complete based only on PaymentIntent status.
  • The verify_intent() function reportedly confirms only that the client secret belongs to a user, without linking it to a specific form entry.
  • The vulnerability is tracked as CVE-2026-2890 and has a CVSS 3.1 base score of 7.5, rated High.
  • All Formidable Forms versions up to and including 6.28 are listed as affected in the Wordfence advisory.

Background Context

According to Wordfence, the Stripe Link return handler does not compare the charged amount against the amount expected by the form. As a result, a PaymentIntent created for a smaller charge can be reused during a separate transaction that should cost more.

The advisory notes that the plugin treats any successful PaymentIntent status as evidence of payment completion for the related form submission. Because the amount and specific action are not validated, attackers can cause higher-priced entries to be recorded as paid in Formidable Forms, even though Stripe processed only the smaller original charge.

The vulnerability does not grant remote code execution or direct server control. It affects transaction records by allowing goods or services to appear paid within the site workflow without matching Stripe charges. Wordfence states that version 6.29 of Formidable Forms contains a patch that addresses the described validation issues.

Wordfence attributes the issue to missing authorization checks combined with insufficient binding of PaymentIntents to individual forms or actions. The plugin continues to be available through the official WordPress plugin repository, where its active installation count exceeds 300,000. Wordfence notes that it recommends updating Formidable Forms to version 6.29 or newer.

Source Citations

Information about the vulnerability, impact, affected versions, and patch originates from Wordfence's public disclosure and advisory. Installation figures and plugin usage details are drawn from the official WordPress plugin directory.

Quickly summarize and get insighs with: 
Author
Etavrian AI
Etavrian AI is developed by Andrii Daniv to produce and optimize content for etavrian.com website.
Reviewed
Andrew Daniv, Andrii Daniv
Andrii Daniv
Andrii Daniv is the founder and owner of Etavrian, a performance-driven agency specializing in PPC and SEO services for B2B and e‑commerce businesses.
Quickly summarize and get insighs with: 
Table of contents
Table of contents

More articles

Minimalist AI powered map chat and search with decision tree UI cards and human silhouetteAsk Maps is Google's quiet Gemini upgrade changing how you explore nearby places
3
min read
AI discovery control hub with pricing card funnel PPC slider shield and user toggling revenueGPT-5.4 Just Quietly Rewrote SEO Rules For Brand And Ad Discovery
11
min read
Minimalist illustration of data funnel turning news into flood intelligence dashboard with person and toggleInside Groundsource, the Google AI Quietly Turning Global Flood Headlines Into Actionable Data
3
min read
News trained AI flood alert dashboard with shield cityscape forecast chart 24 hour timelineGoogle's new AI predicts city flash floods 24 hours ahead - but with a twist
3
min read
logo
Ready to speak with a
marketing expert?
Book a call
Services
SEO servicesGoogle Ads servicesMeta Ads servicesContent Marketing services
Company
About UsContact UsIndustriesOur Mission
Resources
NewsBlogCase studies
© 2026 Etavrian. All Rights Reserved.
Privacy Policy & Terms of Use
LinkedInFacebookTwitter