CVE-2026-15288 in SureForms Plugininfo

Summary

by MITRE • 07/10/2026

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'create_payment_intent' and 'create_subscription_intent' functions without validating it against the form's configured price. This makes it possible for unauthenticated attackers to modify the payment amount to any arbitrary value when submitting a Stripe payment form, potentially purchasing products or services at significantly reduced prices.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The SureForms plugin for WordPress presents a critical vulnerability in its payment processing logic that stems from inadequate input validation mechanisms within its core functionality. This flaw exists in all versions up to and including 221 and specifically affects the create_payment_intent and create_subscription_intent functions where user-controlled data is directly accepted without proper sanitization or verification against configured form parameters. The vulnerability creates a pathway for attackers to manipulate payment amounts during Stripe transaction processing by submitting malicious POST data that bypasses the plugin's intended price validation controls.

This improper input validation vulnerability aligns with CWE-20, which specifically addresses "Improper Input Validation" in software systems where applications fail to properly validate or sanitize user-supplied data before processing. The flaw represents a classic case of insufficient data sanitization where the plugin's payment processing functions trust user input implicitly rather than validating it against predetermined form configurations. Attackers can exploit this weakness by crafting malicious requests that modify the payment amount field, allowing them to submit payments for significantly reduced values compared to what the form was originally configured to charge.

The operational impact of this vulnerability extends beyond simple financial loss, as it fundamentally compromises the integrity of the plugin's commerce functionality and potentially affects the broader WordPress ecosystem where such plugins are deployed. An unauthenticated attacker can leverage this vulnerability to perform unauthorized transactions at arbitrary payment amounts, effectively enabling fraudulent purchases without proper authorization or price validation. The implications are particularly severe for businesses relying on the plugin for legitimate e-commerce operations, as it creates opportunities for systematic price manipulation across multiple form submissions and could lead to substantial revenue loss.

Security mitigations for this vulnerability should prioritize implementing strict input validation controls that verify all payment amounts against predefined form configurations before processing transactions. Organizations should immediately update to patched versions of the SureForms plugin where available and implement additional monitoring mechanisms to detect anomalous payment patterns that may indicate exploitation attempts. The remediation process must include thorough input sanitization of all user-supplied payment data, enforcement of price validation rules, and implementation of proper access controls to ensure only authorized parties can modify form configurations. Security teams should also consider deploying web application firewalls with custom rules to detect and block suspicious POST requests targeting the vulnerable functions, while establishing comprehensive logging and alerting systems to monitor for exploitation attempts that align with ATT&CK technique T1071.004 for application layer protocol manipulation.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!