{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/sureforms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-15288"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SureForms - Drag and Drop Form Builder for WordPress plugin \u003c= 2.2.1"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","web","payment-fraud"],"_cs_type":"advisory","_cs_vendors":["SureForms"],"content_html":"\u003cp\u003eThe SureForms - Drag and Drop Form Builder for WordPress plugin, affecting all versions up to and including 2.2.1, contains an Improper Input Validation vulnerability (CVE-2026-15288). This flaw stems from the plugin's \u003ccode\u003ecreate_payment_intent\u003c/code\u003e and \u003ccode\u003ecreate_subscription_intent\u003c/code\u003e functions, which accept user-controlled payment amounts directly from POST data without verifying them against the intended product price. Discovered recently, this vulnerability allows unauthenticated attackers to manipulate payment amounts to arbitrary, significantly reduced values when submitting Stripe payment forms. This poses a critical risk to e-commerce sites using the plugin, enabling fraudulent purchases and direct financial losses for the vendor.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a target WordPress site utilizing the SureForms plugin (version \u0026lt;= 2.2.1).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a purchase process on the victim site, leading to a Stripe payment form submission.\u003c/li\u003e\n\u003cli\u003eDuring the payment submission, the attacker intercepts the HTTP POST request intended for \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eamount\u003c/code\u003e parameter within the POST data, setting it to an arbitrarily low value (e.g., 0, 1, or 0.01).\u003c/li\u003e\n\u003cli\u003eThe manipulated POST request is then sent to the vulnerable \u003ccode\u003ecreate_payment_intent\u003c/code\u003e or \u003ccode\u003ecreate_subscription_intent\u003c/code\u003e functions within the plugin.\u003c/li\u003e\n\u003cli\u003eThe SureForms plugin processes the payment with the attacker-provided, unvalidated low amount.\u003c/li\u003e\n\u003cli\u003eThe payment gateway (Stripe) processes the transaction for the reduced amount, completing the purchase.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully acquires products or services at a fraudulently low cost, resulting in financial loss for the vendor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-15288 is direct financial loss for organizations utilizing the SureForms - Drag and Drop Form Builder for WordPress plugin. Unauthenticated attackers can exploit this vulnerability to purchase goods or services at arbitrarily reduced prices, potentially down to zero. This could lead to significant revenue loss, inventory depletion without proper compensation, and reputational damage for e-commerce businesses. While specific victim counts are not available, all WordPress sites using affected plugin versions are at risk of fraudulent transactions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate the SureForms - Drag and Drop Form Builder for WordPress plugin to a version beyond 2.2.1 immediately to patch CVE-2026-15288.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-15288 Exploitation - SureForms Plugin Payment Amount Manipulation\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview webserver logs (e.g., Apache, Nginx access logs) for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e containing \u003ccode\u003eaction=create_payment_intent\u003c/code\u003e or \u003ccode\u003eaction=create_subscription_intent\u003c/code\u003e alongside unusually low \u003ccode\u003eamount\u003c/code\u003e parameters, indicating potential exploitation of CVE-2026-15288.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T05:19:51Z","date_published":"2026-07-10T05:19:51Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15288-sureforms-payment-manipulation/","summary":"The SureForms - Drag and Drop Form Builder for WordPress plugin (versions up to and including 2.2.1) is vulnerable to improper input validation (CVE-2026-15288), allowing unauthenticated attackers to modify payment amounts in user-controlled POST data when submitting Stripe payment forms, enabling them to purchase products or services at arbitrarily reduced prices.","title":"CVE-2026-15288: SureForms WordPress Plugin Payment Manipulation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15288-sureforms-payment-manipulation/"}],"language":"en","title":"CraftedSignal Threat Feed - SureForms","version":"https://jsonfeed.org/version/1.1"}