CVE-2026-4987 HIGH

CVE-2026-4987: SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'

Vendor Brainstormforce
Product SureForms – Contact Form, Payment Form & Other Custom Form Builder
Weakness CWE-20 · Input validation
Published March 28, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.

Explanation of Vulnerability in Simple Terms

02Summary

SureForms versions 2.5.2 and earlier contain an input validation flaw that allows attackers to modify form data without authorization. An attacker can send a crafted network request to alter form submissions, responses, or configuration. No authentication or user interaction is required. Site administrators should update immediately to prevent unauthorized changes to form content and submissions.

What an attacker can do

03Attacker Capabilities

Modify form data, submissions, or settings without permission via network requests.

Potential impact on your site

04Site Impact

Form submissions and settings can be altered by unauthorized parties, compromising data integrity.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 28, 2026 CVE published
April 8, 2026 Record updated