CVE-2026-15288 HIGH

CVE-2026-15288: SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation

Vendor Brainstormforce
Product SureForms – Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator
Weakness CWE-20 · Input validation
Published July 10, 2026
Last update July 10, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'create_payment_intent' and 'create_subscription_intent' functions without validating it against the form's configured price. This makes it possible for unauthenticated attackers to modify the payment amount to any arbitrary value when submitting a Stripe payment form, potentially purchasing products or services at significantly reduced prices.

Explanation of Vulnerability in Simple Terms

02Summary

SureForms versions 2.2.1 and earlier contain an input validation flaw that allows attackers to modify form data without authentication. The vulnerability affects the form processing logic, enabling unauthorized changes to submitted information. Site administrators should update to a version newer than 2.2.1 immediately.

What an attacker can do

03Attacker Capabilities

Modify form submissions and data without logging in.

Potential impact on your site

04Site Impact

Form data integrity compromised; attackers can alter submissions, survey responses, or payment information.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 10, 2026 CVE published

Related vulnerabilities

08Related CVE