CVE-2026-1782

| EUVD-2026-22851 MEDIUM
2026-04-15 Wordfence
Information Disclosure WordPress
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 09:09 vuln.today

DescriptionNVD

The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration.

AnalysisAI

Remote attackers can manipulate payment amounts in Stripe and PayPal transactions through the MetForm Pro WordPress plugin by submitting arbitrary values in the 'mf-calculation' field, bypassing price validation. Versions up to 3.9.7 are affected; the plugin fails to recompute or validate user-submitted calculation fields against configured form prices, allowing unauthenticated attackers to reduce or alter payment amounts on vulnerable forms. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-1782 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy