Formidable Forms Flaw Lets Attackers Pay Less For Expensive Purchases via @Sejournal, @Martinibuster

Formidable Forms is one of the most widely adopted drag‑and‑drop form builders for WordPress, powering contact, registration, and payment forms on hundreds of thousands of sites. Its integration with Stripe simplifies checkout, but the recent discovery that the plugin’s return‑handler validates payments solely on the PaymentIntent status reveals a fundamental design oversight. By decoupling the payment record from the specific transaction amount, the code opens a pathway for attackers to submit a cheap purchase, capture the resulting PaymentIntent, and then replay it against a more expensive order without additional verification.

The attack requires no credentials; a malicious actor can craft a request that reuses the captured client secret, tricking the plugin into marking the high‑value order as settled. For merchants, this translates into lost revenue, potential charge‑back disputes, and damage to brand reputation. Because the vulnerability does not involve code execution, traditional malware scanners may miss it, making behavioral monitoring of payment anomalies—such as sudden spikes in high‑value completions without corresponding Stripe events—crucial for early detection. Financial institutions and site owners should also audit webhook logs to ensure payment intents align with expected order totals.

Formidable Forms addressed the flaw in version 6.29 by binding each PaymentIntent to its originating form submission and verifying the charged amount before marking a transaction complete. This patch underscores the broader need for rigorous validation in third‑party plugins, especially those handling monetary flows. Site administrators should prioritize updating to the patched release, enforce least‑privilege access for plugin management, and consider supplemental security layers like Web Application Firewalls that can flag anomalous payment patterns. The episode serves as a reminder that even well‑maintained plugins can harbor high‑impact bugs, and continuous security hygiene remains essential in the WordPress ecosystem.