Input Validation Flaw in SureForms Drag and Drop Form Builder Plugin for WordPress
CVE-2026-15288

7.5HIGH

What is CVE-2026-15288?

The SureForms – Drag and Drop Form Builder for WordPress is susceptible to improper input validation, allowing unauthenticated users to manipulate the payment amount submitted through Stripe forms. This vulnerability arises because the plugin accepts payment amounts from user-controlled POST data in its 'create_payment_intent' and 'create_subscription_intent' functions without adequate validation against the configured prices of forms. As a result, attackers could exploit this flaw to set arbitrary payment values, posing a significant risk to merchants and users relying on the plugin for secure transactions.

Affected Version(s)

SureForms – Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator 0 <= 2.2.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

andrea bocchetti
.