PatchSiren

brainstormforce CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH brainstormforce CVE published 2026-07-10

CVE-2026-15288

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'create_payment_intent' and 'create_subscription_intent' functions without validating it against the form's configured price. This makes it [truncated]

HIGH brainstormforce CVE published 2026-05-30

CVE-2026-7465

A remote code execution vulnerability exists in the Spectra Gutenberg Blocks – Website Builder for the Block Editor WordPress plugin (also known as Ultimate Addons for Gutenberg). The flaw affects all versions up to and including 2.19.25. An authenticated attacker with Contributor-level access or higher can execute arbitrary code on the server by embedding a crafted two-block payload in post content. The [truncated]

CRITICAL brainstormforce CVE published 2026-05-20

CVE-2026-9065

CVE-2026-9065 is a critical authenticated SQL injection vulnerability affecting SureCart versions prior to 4.2.1. The vulnerability resides in the REST API endpoint `/surecart/v1/integrations/{id}` and can be exploited through multiple parameters: `model_name`, `model_id`, `integration_id`, and `provider`. The root cause is a flawed escaping bypass in the `wp-query-builder` query builder. Values passed to [truncated]