CVE-2026-11567 PUBLISHED

SureForms < 2.11.1 - Unauthenticated Payment Amount Bypass

Assigner: WPScan
Reserved: 08.06.2026 Published: 14.07.2026 Updated: 14.07.2026

The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.

Product Status

Vendor Unknown
Product SureForms
Versions Default: unaffected
  • affected from 0 to 2.11.1 (excl.)

Credits

  • Yaswanth Reddy Sunkara finder
  • WPScan coordinator

References

Problem Types

  • CWE-284 Improper Access Control CWE