CVE-2026-2890 is a missing authorization vulnerability (CWE-862) in the Formidable Forms WordPress plugin, specifically affecting the payment processing workflow with Stripe. The plugin's function handle_one_time_stripe_link_return_url marks payment records as complete based solely on the PaymentIntent status returned by Stripe, without verifying that the charged amount matches the expected payment amount for the transaction. Furthermore, the verify_intent() function only validates ownership of the client secret but does not bind the PaymentIntent to a particular form submission or payment action. This architectural flaw allows an attacker to reuse a PaymentIntent from a previously completed low-value transaction to mark a new, higher-value transaction as paid without actually making the payment. The vulnerability affects all versions up to 6.28 inclusive. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation (no authentication or user interaction required), the impact on integrity (unauthorized payment completion), and network attack vector. Although no known exploits have been observed in the wild yet, the vulnerability poses a serious risk to merchants relying on this plugin for payment processing. The lack of proper authorization checks and binding of payment intents to specific transactions is the root cause, highlighting a critical design oversight in the plugin's payment verification logic.

The primary impact of this vulnerability is financial fraud through payment bypass. Attackers can exploit the flaw to mark high-value payments as complete without actually paying, resulting in revenue loss for merchants using the Formidable Forms plugin with Stripe integration. This undermines the integrity of the payment process and can lead to significant monetary damage, chargebacks, and reputational harm. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by anyone aware of the flaw, increasing the attack surface. Organizations relying on this plugin for e-commerce, donations, or any paid services are at risk. Additionally, the trustworthiness of transaction records is compromised, which may affect accounting and compliance. The vulnerability does not impact confidentiality or availability directly but severely impacts transaction integrity and business operations.

To mitigate this vulnerability, organizations should immediately update the Formidable Forms plugin to a patched version once available from the vendor. In the absence of an official patch, temporary mitigations include disabling Stripe payment functionality within the plugin or switching to alternative payment processing plugins that properly validate PaymentIntent amounts and bind them to specific transactions. Developers should implement strict server-side validation that compares the charged amount in the PaymentIntent with the expected payment amount for the form submission before marking payments as complete. Additionally, the verify_intent() function should be enhanced to bind PaymentIntents to specific form IDs or transaction identifiers to prevent reuse. Monitoring payment records for anomalies such as repeated use of the same PaymentIntent ID for multiple transactions can help detect exploitation attempts. Organizations should also review logs for suspicious payment completions and consider implementing additional fraud detection controls at the payment gateway or application level.