<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SureForms - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/sureforms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 05:19:51 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/sureforms/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-15288: SureForms WordPress Plugin Payment Manipulation Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15288-sureforms-payment-manipulation/</link><pubDate>Fri, 10 Jul 2026 05:19:51 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15288-sureforms-payment-manipulation/</guid><description>The SureForms - Drag and Drop Form Builder for WordPress plugin (versions up to and including 2.2.1) is vulnerable to improper input validation (CVE-2026-15288), allowing unauthenticated attackers to modify payment amounts in user-controlled POST data when submitting Stripe payment forms, enabling them to purchase products or services at arbitrarily reduced prices.</description><content:encoded><![CDATA[<p>The SureForms - Drag and Drop Form Builder for WordPress plugin, affecting all versions up to and including 2.2.1, contains an Improper Input Validation vulnerability (CVE-2026-15288). This flaw stems from the plugin's <code>create_payment_intent</code> and <code>create_subscription_intent</code> functions, which accept user-controlled payment amounts directly from POST data without verifying them against the intended product price. Discovered recently, this vulnerability allows unauthenticated attackers to manipulate payment amounts to arbitrary, significantly reduced values when submitting Stripe payment forms. This poses a critical risk to e-commerce sites using the plugin, enabling fraudulent purchases and direct financial losses for the vendor.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a target WordPress site utilizing the SureForms plugin (version &lt;= 2.2.1).</li>
<li>The attacker initiates a purchase process on the victim site, leading to a Stripe payment form submission.</li>
<li>During the payment submission, the attacker intercepts the HTTP POST request intended for <code>/wp-admin/admin-ajax.php</code>.</li>
<li>The attacker modifies the <code>amount</code> parameter within the POST data, setting it to an arbitrarily low value (e.g., 0, 1, or 0.01).</li>
<li>The manipulated POST request is then sent to the vulnerable <code>create_payment_intent</code> or <code>create_subscription_intent</code> functions within the plugin.</li>
<li>The SureForms plugin processes the payment with the attacker-provided, unvalidated low amount.</li>
<li>The payment gateway (Stripe) processes the transaction for the reduced amount, completing the purchase.</li>
<li>The attacker successfully acquires products or services at a fraudulently low cost, resulting in financial loss for the vendor.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-15288 is direct financial loss for organizations utilizing the SureForms - Drag and Drop Form Builder for WordPress plugin. Unauthenticated attackers can exploit this vulnerability to purchase goods or services at arbitrarily reduced prices, potentially down to zero. This could lead to significant revenue loss, inventory depletion without proper compensation, and reputational damage for e-commerce businesses. While specific victim counts are not available, all WordPress sites using affected plugin versions are at risk of fraudulent transactions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update the SureForms - Drag and Drop Form Builder for WordPress plugin to a version beyond 2.2.1 immediately to patch CVE-2026-15288.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-15288 Exploitation - SureForms Plugin Payment Amount Manipulation&quot; to your SIEM and tune for your environment.</li>
<li>Review webserver logs (e.g., Apache, Nginx access logs) for POST requests to <code>/wp-admin/admin-ajax.php</code> containing <code>action=create_payment_intent</code> or <code>action=create_subscription_intent</code> alongside unusually low <code>amount</code> parameters, indicating potential exploitation of CVE-2026-15288.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>vulnerability</category><category>web</category><category>payment-fraud</category></item></channel></rss>