Input Validation Flaw in SureForms Drag and Drop Form Builder Plugin for WordPress
CVE-2026-15288
7.5HIGH
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15288?
The SureForms β Drag and Drop Form Builder for WordPress is susceptible to improper input validation, allowing unauthenticated users to manipulate the payment amount submitted through Stripe forms. This vulnerability arises because the plugin accepts payment amounts from user-controlled POST data in its 'create_payment_intent' and 'create_subscription_intent' functions without adequate validation against the configured prices of forms. As a result, attackers could exploit this flaw to set arbitrary payment values, posing a significant risk to merchants and users relying on the plugin for secure transactions.
Affected Version(s)
SureForms β Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator 0 <= 2.2.1