CVE-2026-1782
Received Received - Intake
Improper Input Validation in MetForm Pro Enables Payment Manipulation

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description
The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1782
EUVD
EUVD-2026-22851
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
metform metform_pro to 3.9.7 (inc)
wpmet metform to 3.9.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves manipulation of the 'mf-calculation' field in the form submission REST request to the MetForm Pro WordPress plugin. Detection would involve monitoring HTTP requests to the REST API endpoints of the affected WordPress site, specifically looking for suspicious or unexpected values in the 'mf-calculation' field within form submissions.

Commands to detect this could include using network monitoring tools or web server logs to filter for POST requests containing the 'mf-calculation' parameter. For example, using command-line tools like grep on web server logs:

  • grep -i 'mf-calculation' /var/log/apache2/access.log
  • grep -i 'mf-calculation' /var/log/nginx/access.log

Alternatively, using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests containing 'mf-calculation' in the payload could help identify exploitation attempts.

Executive Summary

The MetForm Pro plugin for WordPress has a vulnerability related to improper input validation in all versions up to and including 3.9.7. Specifically, the payment integrations with Stripe and PayPal trust a user-submitted calculation field value without verifying or recalculating it against the actual configured form price. This means that an unauthenticated attacker can manipulate the payment amount by altering the 'mf-calculation' field in the form submission REST request, provided there is a form configured in a particular way.

Impact Analysis

This vulnerability allows an unauthenticated attacker to manipulate the payment amount submitted through the MetForm Pro plugin. As a result, attackers could potentially pay less than the intended amount or bypass payment requirements by altering the 'mf-calculation' field. This could lead to financial loss or unauthorized access to paid services or products.

Mitigation Strategies

Immediate mitigation steps include updating the MetForm Pro plugin to a version later than 3.9.7 where this vulnerability is fixed.

If an immediate update is not possible, consider disabling or restricting access to the payment integration features (Stripe/PayPal) in the plugin until a patch is applied.

Additionally, monitor form submissions for suspicious 'mf-calculation' values and implement server-side validation to ensure payment amounts match configured form prices.

Compliance Impact

The provided information does not specify how the vulnerability in the MetForm Pro plugin affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart