PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15288 brainstormforce CVE debrief

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'create_payment_intent' and 'create_subscription_intent' functions without validating it against the form's configured price. This makes it possible for unauthenticated attackers to modify the payment amount to any arbitrary value when submitting a Stripe payment form, potentially purchasing products or services at significantly reduced prices. Administrators and users of the SureForms – Drag and Drop Form Builder for WordPress plugin should be aware of this vulnerability and take immediate action to protect their applications.

Vendor
brainstormforce
Product
SureForms – Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of the SureForms – Drag and Drop Form Builder for WordPress plugin should be aware of this vulnerability and take immediate action to protect their applications. This includes reviewing and validating payment forms and Stripe payment configurations, monitoring for suspicious payment activity, and implementing additional security measures such as payment validation and IP restrictions.

Technical summary

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation. The plugin accepts payment amounts directly from user-controlled POST data without validation, allowing unauthenticated attackers to modify payment amounts to arbitrary values when submitting a Stripe payment form. This could lead to unauthorized transactions and potential financial loss. The vulnerability exists in all versions up to, and including, 2.2.1.

Defensive priority

High priority due to the potential for significant financial impact.

Recommended defensive actions

  • Update the SureForms – Drag and Drop Form Builder for WordPress plugin to the latest version.
  • Review and validate payment forms and Stripe payment configurations.
  • Monitor for suspicious payment activity.
  • Implement additional security measures, such as payment validation and IP restrictions.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T05:16:31.923Z and last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This vulnerability allows unauthenticated attackers to modify payment amounts to arbitrary values when submitting a Stripe payment form. The plugin accepts payment amounts directly from user-controlled POST data without validation against the form's configured price. This could potentially allow attackers to purchase products or services at significantly reduced prices.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:31.923Z and has not been modified since then. The NVD entry is currently Deferred.