Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
SureForms Plugin Allows Underpriced Payments on WordPress
CVE-2026-4987
Summary
The SureForms plugin for WordPress does not properly validate payment amounts, allowing attackers to create underpriced payments without authentication. This affects all versions of the plugin up to and including 2.5.2. To fix, update the plugin to a patched version or remove it until an update is available.
Original title
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the cr...
Original description
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
nvd CVSS3.1
7.5
Vulnerability type
CWE-20
Improper Input Validation
Published: 28 Mar 2026 · Updated: 28 Mar 2026 · First seen: 28 Mar 2026