7.5
CVE-2026-4987
- EPSS 0.09%
- Veröffentlicht 28.03.2026 01:25:46
- Zuletzt bearbeitet 30.03.2026 13:26:07
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
Mögliche Gegenmaßnahme
SureForms – Contact Form, Payment Form & Other Custom Form Builder: Update to version 2.6.0, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
SureForms – Contact Form, Payment Form & Other Custom Form Builder
Version
*-2.5.2
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerbrainstormforce
≫
Produkt
SureForms – Contact Form, Payment Form & Other Custom Form Builder
Default Statusunaffected
Version <=
2.5.2
Version
0
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.09% | 0.248 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.