CVE-2026-2888 Overview
The Formidable Forms plugin for WordPress contains an authorization bypass vulnerability through a user-controlled key affecting all versions up to and including 6.28. This vulnerability exists in the frm_strp_amount AJAX handler (update_intent_ajax) which overwrites the global $_POST data with attacker-controlled JSON input. The manipulated values are then used to recalculate payment amounts via field shortcode resolution in generate_false_entry().
The handler relies on a nonce that is publicly exposed in the page's JavaScript (frm_stripe_vars.nonce), which provides CSRF protection but fails to implement proper authorization controls. This critical oversight enables unauthenticated attackers to manipulate Stripe PaymentIntent amounts before payment completion on forms utilizing dynamic pricing with field shortcodes.
Critical Impact
Unauthenticated attackers can manipulate payment amounts on Formidable Forms with Stripe integration, effectively paying a reduced amount for goods or services by exploiting the authorization bypass in the payment handling AJAX endpoint.
Affected Products
- Formidable Forms WordPress Plugin versions up to and including 6.28
- WordPress sites using Formidable Forms with Stripe payment integration
- Forms utilizing dynamic pricing with field shortcodes
Discovery Timeline
- 2026-03-13 - CVE-2026-2888 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-2888
Vulnerability Analysis
This authorization bypass vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) stems from a fundamental design flaw in how the Formidable Forms plugin handles payment amount calculations for Stripe transactions. The vulnerability affects the payment flow by allowing attackers to inject arbitrary values into the payment processing pipeline.
The core issue lies in the update_intent_ajax function within FrmStrpLiteHooksController.php, which accepts JSON input from the client and uses it to overwrite critical $_POST data. This overwritten data is subsequently processed by generate_false_entry() in FrmStrpLiteAuth.php, which recalculates payment amounts using field shortcode resolution. Because the nonce used for validation (frm_stripe_vars.nonce) is publicly accessible in the page's JavaScript source, any unauthenticated user can craft valid requests.
Root Cause
The root cause of this vulnerability is the improper implementation of access control in the AJAX payment handler. While the plugin correctly implements CSRF protection through nonce verification, it incorrectly assumes that nonce validation is sufficient for authorization. The exposed nonce in frm_stripe_vars.nonce within the page's JavaScript means that any visitor to a page containing a Formidable Forms payment form can obtain the valid nonce and use it to manipulate payment amounts.
Additionally, the practice of overwriting $_POST global data with user-supplied JSON input creates an insecure data flow where attacker-controlled values propagate through the payment calculation logic without proper sanitization or authorization checks.
Attack Vector
The attack vector is network-based and requires no authentication or privileges. An attacker can exploit this vulnerability by:
- Visiting a page containing a Formidable Forms payment form with Stripe integration
- Extracting the publicly exposed nonce from frm_stripe_vars.nonce in the page's JavaScript
- Crafting a malicious AJAX request to the frm_strp_amount action with manipulated JSON payload
- Submitting the request to overwrite the $_POST data with attacker-controlled values
- The plugin's generate_false_entry() function processes these values and recalculates the PaymentIntent with a reduced amount
The vulnerability mechanism involves the AJAX handler accepting and trusting client-provided JSON data to recalculate payment amounts. The attacker can specify arbitrary field values that are used in dynamic pricing calculations, resulting in a lower payment amount being sent to Stripe while the form submission appears legitimate to the application. Technical implementation details can be found in the WordPress Hook Controller File and FrmStrpLiteAuth.php model.
Detection Methods for CVE-2026-2888
Indicators of Compromise
- Unusual AJAX requests to the frm_strp_amount action with JSON payloads containing manipulated pricing data
- Stripe PaymentIntent records with amounts that don't match expected form calculations or product prices
- Discrepancies between order values in the WordPress database and actual Stripe payment amounts
- Log entries showing POST requests to admin-ajax.php with action=frm_strp_amount from unauthenticated sessions
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on suspicious frm_strp_amount AJAX requests with unusual JSON payloads
- Configure server-side logging to capture all AJAX requests to Formidable Forms payment endpoints, including request body content
- Set up anomaly detection for Stripe webhook events where payment amounts differ significantly from expected values
- Deploy integrity monitoring on Formidable Forms plugin files to detect any unauthorized modifications
Monitoring Recommendations
- Enable detailed WordPress debug logging for the Formidable Forms plugin to track payment processing activities
- Configure Stripe dashboard alerts for payments below expected thresholds or unusual payment patterns
- Implement real-time monitoring of admin-ajax.php requests filtering for Formidable Forms-related actions
- Set up automated reconciliation between WordPress order records and Stripe payment records to identify discrepancies
How to Mitigate CVE-2026-2888
Immediate Actions Required
- Update Formidable Forms plugin to a version newer than 6.28 that includes the security patch
- Audit recent Stripe transactions for any signs of payment amount manipulation
- Temporarily disable Stripe payment functionality on affected forms until the patch is applied
- Review server logs for any indicators of compromise related to the frm_strp_amount AJAX endpoint
Patch Information
The vendor has released a security patch addressing this authorization bypass vulnerability. The fix can be reviewed in the WordPress Changeset Update which implements proper authorization checks beyond the publicly exposed nonce. For detailed vulnerability information, refer to the Wordfence Vulnerability Report.
Workarounds
- Implement a web application firewall (WAF) rule to block or sanitize requests to the frm_strp_amount AJAX action until the plugin can be updated
- Configure server-level rate limiting on admin-ajax.php to reduce the attack surface
- Temporarily switch to fixed-price forms without dynamic pricing field shortcodes until the patch is applied
- Add server-side validation to verify payment amounts against expected values before processing Stripe transactions
# Example: Block suspicious AJAX requests via .htaccess (temporary workaround)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$ [NC]
RewriteCond %{QUERY_STRING} action=frm_strp_amount [NC]
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
