CVE-2026-1782
Improper Input Validation in MetForm Pro Enables Payment Manipulation
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metform | metform_pro | to 3.9.7 (inc) |
| wpmet | metform | to 3.9.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The MetForm Pro plugin for WordPress has a vulnerability related to improper input validation in all versions up to and including 3.9.7. Specifically, the payment integrations with Stripe and PayPal trust a user-submitted calculation field value without verifying or recalculating it against the actual configured form price. This means that an unauthenticated attacker can manipulate the payment amount by altering the 'mf-calculation' field in the form submission REST request, provided there is a form configured in a particular way.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to manipulate the payment amount submitted through the MetForm Pro plugin. As a result, attackers could potentially pay less than the intended amount or bypass payment requirements by altering the 'mf-calculation' field. This could lead to financial loss or unauthorized access to paid services or products.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in the MetForm Pro plugin affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves manipulation of the 'mf-calculation' field in the form submission REST request to the MetForm Pro WordPress plugin. Detection would involve monitoring HTTP requests to the REST API endpoints of the affected WordPress site, specifically looking for suspicious or unexpected values in the 'mf-calculation' field within form submissions.
Commands to detect this could include using network monitoring tools or web server logs to filter for POST requests containing the 'mf-calculation' parameter. For example, using command-line tools like grep on web server logs:
- grep -i 'mf-calculation' /var/log/apache2/access.log
- grep -i 'mf-calculation' /var/log/nginx/access.log
Alternatively, using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests containing 'mf-calculation' in the payload could help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the MetForm Pro plugin to a version later than 3.9.7 where this vulnerability is fixed.
If an immediate update is not possible, consider disabling or restricting access to the payment integration features (Stripe/PayPal) in the plugin until a patch is applied.
Additionally, monitor form submissions for suspicious 'mf-calculation' values and implement server-side validation to ensure payment amounts match configured form prices.