Description
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
Published: 2026-03-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized, underpriced payment creation
Action: Immediate Patch
AI Analysis

Impact

The SureForms plugin for WordPress allows unauthenticated users to create payment or subscription intents without respecting the configured payment amount. The vulnerability arises because the create_payment_intent() function validates the amount based solely on a user‑supplied form_id parameter. By setting form_id to 0, an attacker can bypass all payment‑amount checks and submit payment intents with a value lower than intended, potentially leading to financial loss or unauthorized transaction processing. This flaw represents a classic input validation failure (CWE‑20).

Affected Systems

Vendors affected include brainstormforce’s SureForms contact and payment form builder for WordPress. All plugin releases up to and including version 2.5.2 are vulnerable. Hosts running any of these versions, especially those exposing public payment forms, are susceptible if the plugin remains unpatched.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and although the EPSS score is unavailable, the audit indicates that the exploit is straightforward: an unauthenticated HTTP request can be crafted with form_id=0 to trigger the vulnerability. The bug does not require authentication or privileged access, making it attractive for attackers. Since the vulnerability is not listed in the CISA KEV catalog, it may not yet have known, widespread exploits, but the low barrier to exploitation warrants proactive mitigation.

Generated by OpenCVE AI on March 28, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SureForms plugin to the latest available version (at least 2.5.3).
  • If an update is delayed, configure the site to restrict unauthenticated access to the payment forms or temporarily disable payment processing until a patch is applied.
  • Review and ensure all other WordPress plugins and core components are kept up to date to minimize the attack surface.

Generated by OpenCVE AI on March 28, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce sureforms – Contact Form, Payment Form & Other Custom Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce sureforms – Contact Form, Payment Form & Other Custom Form Builder
Wordpress
Wordpress wordpress

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
Title SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Brainstormforce Sureforms – Contact Form, Payment Form & Other Custom Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:42.042Z

Reserved: 2026-03-27T12:55:03.320Z

Link: CVE-2026-4987

cve-icon Vulnrichment

Updated: 2026-03-30T14:58:22.296Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-28T02:16:14.793

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-4987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:11Z

Weaknesses