CVE-2026-2888

CVE-2026-2888 affects Formidable Forms for WordPress in versions up to and including 6.28. The issue is an authorization bypass in the frm_strp_amount AJAX handler, where attacker-controlled JSON input overwrites global POST data and is used to recalculate PaymentIntent amounts via field shortcod...

CVE-2026-2888 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frmstrpamount AJAX handler updateintentajax overwriting the global $POST data with attacker-controlled JSON input and then...

CVE-2026-2888 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frmstrpamount AJAX handler updateintentajax overwriting the global $POST data with attacker-controlled JSON input and then...

WordPress Formidable Forms plugin <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter vulnerability

Unauthenticated Payment Amount Manipulation via 'itemmeta' Parameter vulnerability discovered by Michael Iden Mickhat - Hack The Box in WordPress Plugin Formidable Forms versions = 6.28...