The vulnerability identified as CVE-2026-2888 affects the Formidable Forms plugin for WordPress, specifically versions up to and including 6.28. The root cause is an authorization bypass through a user-controlled key in the AJAX handler `frm_strp_amount` (also known as `update_intent_ajax`). This handler processes payment amount recalculations by overwriting the global `$_POST` array with JSON input controlled by an attacker. The recalculation occurs in the function `generate_false_entry()`, which resolves dynamic pricing via field shortcodes. Although the handler employs a nonce for CSRF protection, this nonce is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), meaning it does not provide true authorization. As a result, unauthenticated attackers can manipulate the PaymentIntent amounts before payment completion, effectively paying less than intended for goods or services. This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with no impact on confidentiality or availability but a partial impact on integrity. No known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the plugin up to 6.28, which is widely used for contact forms, surveys, quizzes, payments, calculators, and custom form building in WordPress environments.

The primary impact of CVE-2026-2888 is financial loss due to unauthorized manipulation of payment amounts on websites using the vulnerable Formidable Forms plugin with dynamic pricing enabled. Attackers can bypass authorization controls and reduce payment amounts without authentication or user interaction, compromising the integrity of payment transactions. This can lead to revenue loss for e-commerce sites, subscription services, or any online business relying on this plugin for payment processing. While confidentiality and availability are not directly affected, the trustworthiness of payment data is undermined. Organizations may also face reputational damage if customers or partners become aware of the vulnerability exploitation. The scope includes all WordPress sites using the affected plugin versions with dynamic pricing features enabled, which could be substantial given WordPress's market share. The absence of known exploits currently limits immediate widespread impact, but the vulnerability is straightforward to exploit due to the exposed nonce and lack of authorization checks.

1. Immediately update the Formidable Forms plugin to a patched version once released by the vendor that addresses the authorization bypass issue. 2. Until a patch is available, disable dynamic pricing features or any payment forms that rely on the vulnerable AJAX handler to prevent exploitation. 3. Implement additional server-side authorization checks to validate user permissions before processing payment amount recalculations. 4. Avoid exposing sensitive nonces or tokens in publicly accessible JavaScript to prevent misuse. 5. Monitor payment transactions for anomalies such as unexpected low payment amounts or repeated payment attempts. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable handler. 7. Conduct regular security audits of WordPress plugins, especially those handling payments, to identify and remediate similar authorization issues. 8. Educate developers and administrators on secure coding practices around AJAX handlers and nonce usage to prevent future vulnerabilities.