SureForms < 2.2.2 – Unauthenticated Stripe Payment Amount Manipulation | Plugin Vulnerabilities

Description

The plugin is vulnerable to Improper Input Validation due to the plugin accepting the payment amount directly from user-controlled POST data in the 'create_payment_intent' and 'create_subscription_intent' functions without validating it against the form's configured price. This makes it possible for unauthenticated attackers to modify the payment amount to any arbitrary value when submitting a Stripe payment form, potentially purchasing products or services at significantly reduced prices.

Affects Plugins

Fixed in 2.2.2

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8b0e0f22-de42-4da9-a0c1-ae41ba57be03

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

andrea bocchetti

Verified

No

WPVDB ID

cf77aeb0-f7d0-480e-a8ac-e9b66b15e551

Timeline

Publicly Published

2026-02-13 (about 3 months ago)

Added

2026-04-14 (about 29 days ago)

Last Updated

2026-04-14 (about 29 days ago)

Other

Published

Title

Published

2026-01-23

Title

SupportCandy – Helpdesk & Customer Support Ticket System < 3.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2026-04-08

Title

MStore API < 4.18.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

Published

2024-09-25

Title

Salon booking system < 10.9.1 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-03-07

Title

FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel < 2.4.30 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates

Published

2022-11-07

Title

Awesome Support < 6.1.2 - Subscriber+ Arbitrary Exported Tickets Download