CVE-2026-4987: CWE-20 Improper Input Validation in brainstormforce SureForms – Contact Form, Payment Form & Other Custom Form Builder
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
AI Analysis
Technical Summary
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress contains an improper input validation vulnerability (CWE-20) identified as CVE-2026-4987. The vulnerability exists because the create_payment_intent() function validates payment amounts based only on a user-controllable parameter, allowing unauthenticated attackers to bypass configured payment amount checks. By setting the form_id parameter to 0, attackers can create payment or subscription intents with reduced prices, potentially leading to financial loss. This affects all plugin versions up to 2.5.2. The CVSS v3.1 score is 7.5, indicating high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patch or vendor advisory is currently available to confirm remediation status.
Potential Impact
An attacker can bypass payment amount validation and create underpriced payment or subscription intents, potentially causing financial loss to the site owner. The vulnerability requires no authentication and can be exploited remotely without user interaction. There is no indication of confidentiality or availability impact, but the integrity of payment transactions is compromised.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing additional server-side validation for payment amounts independent of user-controlled parameters to mitigate exploitation risk.
CVE-2026-4987: CWE-20 Improper Input Validation in brainstormforce SureForms – Contact Form, Payment Form & Other Custom Form Builder
Description
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress contains an improper input validation vulnerability (CWE-20) identified as CVE-2026-4987. The vulnerability exists because the create_payment_intent() function validates payment amounts based only on a user-controllable parameter, allowing unauthenticated attackers to bypass configured payment amount checks. By setting the form_id parameter to 0, attackers can create payment or subscription intents with reduced prices, potentially leading to financial loss. This affects all plugin versions up to 2.5.2. The CVSS v3.1 score is 7.5, indicating high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patch or vendor advisory is currently available to confirm remediation status.
Potential Impact
An attacker can bypass payment amount validation and create underpriced payment or subscription intents, potentially causing financial loss to the site owner. The vulnerability requires no authentication and can be exploited remotely without user interaction. There is no indication of confidentiality or availability impact, but the integrity of payment transactions is compromised.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing additional server-side validation for payment amounts independent of user-controlled parameters to mitigate exploitation risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-27T12:55:03.320Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c7307f2b68dbd88e6742d7
Added to database: 3/28/2026, 1:35:59 AM
Last enriched: 4/11/2026, 12:53:20 PM
Last updated: 5/11/2026, 7:43:41 PM
Views: 109
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.