What the vulnerability does
01Description
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'create_payment_intent' and 'create_subscription_intent' functions without validating it against the form's configured price. This makes it possible for unauthenticated attackers to modify the payment amount to any arbitrary value when submitting a Stripe payment form, potentially purchasing products or services at significantly reduced prices.
Explanation of Vulnerability in Simple Terms
02Summary
SureForms versions 2.2.1 and earlier contain an input validation flaw that allows attackers to modify form data without authentication. The vulnerability affects the form processing logic, enabling unauthorized changes to submitted information. Site administrators should update to a version newer than 2.2.1 immediately.
What an attacker can do
03Attacker Capabilities
Modify form submissions and data without logging in.
Potential impact on your site
04Site Impact
Form data integrity compromised; attackers can alter submissions, survey responses, or payment information.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
July 10, 2026
CVE published