CVE-2026-2888

{"id": "CVE-2026-2888", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-13T19:54:34.707", "references": [{"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L88", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L322", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L402", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480574%40formidable%2Ftrunk&old=3460198%40formidable%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8be3b6e-a035-4e6f-ba2b-ce9e59ebf2e0?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services."}, {"lang": "es", "value": "El plugin Formidable Forms para WordPress es vulnerable a un bypass de autorizaci\u00f3n a trav\u00e9s de una clave controlada por el usuario en todas las versiones hasta la 6.28, inclusive. Esto se debe a que el gestor AJAX `frm_strp_amount` (`update_intent_ajax`) sobrescribe los datos globales `$_POST` con entrada JSON controlada por el atacante y luego utiliza esos valores para recalcular los importes de pago a trav\u00e9s de la resoluci\u00f3n de shortcode de campo en `generate_false_entry()`. El gestor se basa en un nonce que est\u00e1 expuesto p\u00fablicamente en el JavaScript de la p\u00e1gina (`frm_stripe_vars.nonce`), lo que proporciona protecci\u00f3n CSRF pero no autorizaci\u00f3n. Esto hace posible que atacantes no autenticados manipulen los importes de PaymentIntent antes de la finalizaci\u00f3n del pago en formularios que utilizan precios din\u00e1micos con shortcodes de campo, pagando efectivamente una cantidad reducida por bienes o servicios."}], "lastModified": "2026-04-22T21:30:26.497", "sourceIdentifier": "security@wordfence.com"}