CVE-2026-4987

SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'

Assigner: Wordfence
Reserved: 27.03.2026 Published: 28.03.2026 Updated: 28.03.2026

The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	brainstormforce
Product	SureForms – Contact Form, Payment Form & Other Custom Form Builder
Versions	Default: unaffected affected from * to 2.5.2 (incl.)

Vendor

brainstormforce

Product

SureForms – Contact Form, Payment Form & Other Custom Form Builder

Versions

Default: unaffected

affected from * to 2.5.2 (incl.)

Credits

Jack Pas finder

References

Problem Types