EUVD-2026-16905
GHSA-v8h4-7xcp-85r6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Description
The SureForms - Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
Analysis
Payment amount bypass in Brainstorm Force SureForms WordPress plugin (all versions ≤2.5.2) allows unauthenticated remote attackers to create underpriced payment and subscription intents by manipulating the form_id parameter to 0, circumventing configured payment validation. CVSS 7.5 (High) with network-accessible attack vector and low complexity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: disable the SureForms plugin or restrict form access to authenticated users only; audit payment transaction logs for anomalies since plugin installation. Within 7 days: contact Brainstorm Force for patch availability timeline; if no patch emerges, evaluate plugin alternatives or implement Web Application Firewall rules to block form_id parameter manipulation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today