Close Menu
    Subscribe
    Alerts

    CVE-2026-4987 | THREATINT

    adminBy No Comments1 Min Read


    Home

    Description

    The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.

    PUBLISHED Reserved 2026-03-27 | Published 2026-03-28 | Updated 2026-03-28 | Assigner Wordfence

    HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

    Problem types

    CWE-20 Improper Input Validation

    Product status

    Default status
    unaffected

    * (semver)
    affected

    Timeline

    2026-03-27: Vendor Notified
    2026-03-27: Disclosed

    Credits

    Jack Pas finder

    References

    www.wordfence.com/…-a730-44f2-b43c-f9bd5abb6541?source=cve

    plugins.trac.wordpress.org/changeset/3488858/sureforms

    cve.org (CVE-2026-4987)

    nvd.nist.gov (CVE-2026-4987)

    Download JSON



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.