Skip to content
Threat Feed
high advisory

CVE-2026-15288: SureForms WordPress Plugin Payment Manipulation Vulnerability

The SureForms - Drag and Drop Form Builder for WordPress plugin (versions up to and including 2.2.1) is vulnerable to improper input validation (CVE-2026-15288), allowing unauthenticated attackers to modify payment amounts in user-controlled POST data when submitting Stripe payment forms, enabling them to purchase products or services at arbitrarily reduced prices.

The SureForms - Drag and Drop Form Builder for WordPress plugin, affecting all versions up to and including 2.2.1, contains an Improper Input Validation vulnerability (CVE-2026-15288). This flaw stems from the plugin's create_payment_intent and create_subscription_intent functions, which accept user-controlled payment amounts directly from POST data without verifying them against the intended product price. Discovered recently, this vulnerability allows unauthenticated attackers to manipulate payment amounts to arbitrary, significantly reduced values when submitting Stripe payment forms. This poses a critical risk to e-commerce sites using the plugin, enabling fraudulent purchases and direct financial losses for the vendor.

Attack Chain

  1. An unauthenticated attacker identifies a target WordPress site utilizing the SureForms plugin (version <= 2.2.1).
  2. The attacker initiates a purchase process on the victim site, leading to a Stripe payment form submission.
  3. During the payment submission, the attacker intercepts the HTTP POST request intended for /wp-admin/admin-ajax.php.
  4. The attacker modifies the amount parameter within the POST data, setting it to an arbitrarily low value (e.g., 0, 1, or 0.01).
  5. The manipulated POST request is then sent to the vulnerable create_payment_intent or create_subscription_intent functions within the plugin.
  6. The SureForms plugin processes the payment with the attacker-provided, unvalidated low amount.
  7. The payment gateway (Stripe) processes the transaction for the reduced amount, completing the purchase.
  8. The attacker successfully acquires products or services at a fraudulently low cost, resulting in financial loss for the vendor.

Impact

The primary impact of CVE-2026-15288 is direct financial loss for organizations utilizing the SureForms - Drag and Drop Form Builder for WordPress plugin. Unauthenticated attackers can exploit this vulnerability to purchase goods or services at arbitrarily reduced prices, potentially down to zero. This could lead to significant revenue loss, inventory depletion without proper compensation, and reputational damage for e-commerce businesses. While specific victim counts are not available, all WordPress sites using affected plugin versions are at risk of fraudulent transactions.

Recommendation

  • Update the SureForms - Drag and Drop Form Builder for WordPress plugin to a version beyond 2.2.1 immediately to patch CVE-2026-15288.
  • Deploy the Sigma rule "Detect CVE-2026-15288 Exploitation - SureForms Plugin Payment Amount Manipulation" to your SIEM and tune for your environment.
  • Review webserver logs (e.g., Apache, Nginx access logs) for POST requests to /wp-admin/admin-ajax.php containing action=create_payment_intent or action=create_subscription_intent alongside unusually low amount parameters, indicating potential exploitation of CVE-2026-15288.

Detection coverage 1

Detect CVE-2026-15288 Exploitation - SureForms Plugin Payment Amount Manipulation

high

Detects exploitation attempts against CVE-2026-15288 where an unauthenticated attacker modifies the payment amount in SureForms WordPress plugin via `create_payment_intent` or `create_subscription_intent` AJAX actions to unusually low values.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →