CVE-2026-11567: CWE-284 Improper Access Control in SureForms
The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.
AI Analysis
Technical Summary
CVE-2026-11567 describes an improper access control vulnerability (CWE-284) in the SureForms WordPress plugin prior to version 2.11.1. The vulnerability arises because the plugin does not properly validate payment amounts on forms that use variable or hidden payment amounts sourced dynamically. This flaw allows unauthenticated attackers to submit payments with amounts lower than the configured price, effectively enabling underpayment for products or subscriptions. Forms that use a fixed configured price are not vulnerable. There is no CVSS score or vendor advisory indicating a patch or remediation status at this time.
Potential Impact
Unauthenticated attackers can exploit this vulnerability to pay less than the intended amount for products or subscriptions processed through SureForms forms that use dynamically-sourced payment amounts. This can result in financial loss to merchants using the affected plugin versions. Fixed-price forms are not impacted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using dynamically-sourced payment amounts in SureForms forms or implement additional server-side validation to ensure payment amounts match expected values.
CVE-2026-11567: CWE-284 Improper Access Control in SureForms
Description
The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.
CVSS v3.1
Score 5.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11567 describes an improper access control vulnerability (CWE-284) in the SureForms WordPress plugin prior to version 2.11.1. The vulnerability arises because the plugin does not properly validate payment amounts on forms that use variable or hidden payment amounts sourced dynamically. This flaw allows unauthenticated attackers to submit payments with amounts lower than the configured price, effectively enabling underpayment for products or subscriptions. Forms that use a fixed configured price are not vulnerable. There is no CVSS score or vendor advisory indicating a patch or remediation status at this time.
Potential Impact
Unauthenticated attackers can exploit this vulnerability to pay less than the intended amount for products or subscriptions processed through SureForms forms that use dynamically-sourced payment amounts. This can result in financial loss to merchants using the affected plugin versions. Fixed-price forms are not impacted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using dynamically-sourced payment amounts in SureForms forms or implement additional server-side validation to ensure payment amounts match expected values.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-06-08T08:28:35.208Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a55d15368715ace43daafb6
Added to database: 07/14/2026, 06:04:03 UTC
Last enriched: 07/14/2026, 06:17:57 UTC
Last updated: 07/14/2026, 23:57:59 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.