Platform
wordpress
Component
sureforms
Fixed in
2.5.4
CVE-2026-4987 describes a Payment Amount Bypass vulnerability in the SureForms – Contact Form, Payment Form & Other Custom Form Builder WordPress plugin. This flaw allows unauthenticated attackers to bypass payment amount validation, potentially creating underpriced payment or subscription intents. This affects versions up to and including 2.5.2. The vulnerability is fixed in version 2.6.0.
CVE-2026-4987 in the SureForms WordPress plugin allows unauthenticated attackers to bypass configured form payment-amount validation. This is due to the createpaymentintent() function performing payment validation solely based on a user-controlled parameter. By setting form_id to 0, an attacker can create underpriced payment/subscription intents, potentially leading to financial losses for website owners. The CVSS score for this vulnerability is 7.5, indicating a significant risk. All versions up to and including 2.5.2 are affected, making it crucial to update to version 2.6.0 or later to mitigate this risk.
An attacker could exploit this vulnerability by sending a malicious HTTP request to a website using SureForms. This request would manipulate the form_id parameter to set it to 0, bypassing the payment amount validation. The attacker could then create a payment or subscription intent with a significantly lower amount than expected, gaining a financial benefit at the website owner's expense. The lack of authentication required to exploit this vulnerability makes it particularly dangerous, as anyone with internet access could potentially exploit it. Exploitation is relatively straightforward and does not require advanced technical skills.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the SureForms plugin to version 2.6.0 or later. This version includes a fix that properly validates the payment amount, preventing manipulation by attackers. Additionally, review your form configurations to ensure minimum and maximum payment amounts are correctly defined. Regularly monitoring server logs for suspicious activity related to payment intent creation can also help detect and prevent potential attacks. Implementing additional security measures, such as two-factor authentication for users with plugin administration access, can further strengthen website protection.
Update to version 2.6.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
All versions of SureForms up to and including 2.5.2 are vulnerable to this vulnerability.
You can update SureForms from the WordPress admin dashboard, going to Plugins > Updates.
If you cannot update immediately, consider temporarily disabling payment forms until you can update the plugin.
Yes, implement two-factor authentication for users with plugin administration access and monitor server logs for suspicious activity.
You can find more information about this vulnerability in the CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4987
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.