WordPress Plugin Vulnerabilities

SureForms < 2.11.1 - Unauthenticated Payment Amount Bypass

Description

The plugin does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.

Proof of Concept

Affects Plugins

Fixed in 2.11.1

References

Classification

Type
ACCESS CONTROLS
CWE

Miscellaneous

Original Researcher
Yaswanth Reddy Sunkara
Submitter
Yaswanth Reddy Sunkara
Verified
Yes

Timeline

Publicly Published
2026-06-23 (about 22 days ago)
Added
2026-06-23 (about 21 days ago)
Last Updated
2026-06-23 (about 21 days ago)

Other