{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4987", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-27T12:55:03.320Z", "datePublished": "2026-03-28T01:25:46.475Z", "dateUpdated": "2026-03-30T14:58:31.041Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T01:25:46.475Z"}, "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0."}], "title": "SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4772b32-a730-44f2-b43c-f9bd5abb6541?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3488858/sureforms"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "timeline": [{"time": "2026-03-27T13:10:27.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-27T12:56:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:58:00.794768Z", "id": "CVE-2026-4987", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:58:31.041Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4987", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:58:00.794768Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:58:22.296Z"}}], "cna": {"title": "SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'", "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.5.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-27T13:10:27.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-27T12:56:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4772b32-a730-44f2-b43c-f9bd5abb6541?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3488858/sureforms"}], "descriptions": [{"lang": "en", "value": "The SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T01:25:46.475Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4987", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:58:31.041Z", "dateReserved": "2026-03-27T12:55:03.320Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-28T01:25:46.475Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0."}], "id": "CVE-2026-4987", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-28T02:16:14.793", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3488858/sureforms"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4772b32-a730-44f2-b43c-f9bd5abb6541?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "sureforms_\u2013_contact_form,_payment_form_&_other_custom_form_builder", "vendor": "brainstormforce"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-28T05:49:30.226884+00:00", "value": {"mitigation_remediation": ["Upgrade the SureForms plugin to the latest available version (at least 2.5.3).", "If an update is delayed, configure the site to restrict unauthenticated access to the payment forms or temporarily disable payment processing until a patch is applied.", "Review and ensure all other WordPress plugins and core components are kept up to date to minimize the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized, underpriced payment creation"}, "threat_synthesis": {"affected_systems": "Vendors affected include brainstormforce\u2019s SureForms contact and payment form builder for WordPress. All plugin releases up to and including version 2.5.2 are vulnerable. Hosts running any of these versions, especially those exposing public payment forms, are susceptible if the plugin remains unpatched.", "description_and_impact": "The SureForms plugin for WordPress allows unauthenticated users to create payment or subscription intents without respecting the configured payment amount. The vulnerability arises because the create_payment_intent() function validates the amount based solely on a user\u2011supplied form_id parameter. By setting form_id to 0, an attacker can bypass all payment\u2011amount checks and submit payment intents with a value lower than intended, potentially leading to financial loss or unauthorized transaction processing. This flaw represents a classic input validation failure (CWE\u201120).", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, and although the EPSS score is unavailable, the audit indicates that the exploit is straightforward: an unauthenticated HTTP request can be crafted with form_id=0 to trigger the vulnerability. The bug does not require authentication or privileged access, making it attractive for attackers. Since the vulnerability is not listed in the CISA KEV catalog, it may not yet have known, widespread exploits, but the low barrier to exploitation warrants proactive mitigation."}}}}, "created": "2026-03-29T20:32:44.117776+00:00", "updated": "2026-03-30T07:59:11.846379+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$sureforms_\u2013_contact_form,_payment_form_&_other_custom_form_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}