CVE-2026-11567
Received Received - Intake

Unauthenticated Payment Underpayment in SureForms WordPress Plugin

Vulnerability report for CVE-2026-11567, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: WPScan

Description

The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpforms sureforms to 2.11.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

If you are using the SureForms WordPress plugin (versions before 2.11.1) with forms that rely on dynamically-sourced payment amounts, this vulnerability could have the following impacts:

  • Financial loss: Attackers can pay less than the intended amount for products or subscriptions, leading to revenue loss for your business.
  • Fraudulent transactions: Unauthorized users may exploit the flaw to bypass payment validation, resulting in fraudulent or incomplete transactions.
  • Operational disruption: If your business relies on accurate payment processing, this vulnerability could disrupt workflows or require manual intervention to correct underpaid transactions.

Forms with fixed prices are not vulnerable, so the impact is limited to configurations using dynamic payment amounts.

Executive Summary

CVE-2026-11567 is a vulnerability in the SureForms WordPress plugin (versions before 2.11.1) that allows unauthenticated users to manipulate payment amounts on forms. Specifically, the plugin fails to properly validate payment amounts when they are dynamically sourced (e.g., variable or hidden fields). This flaw enables attackers to underpay for products or subscriptions configured in such forms.

Forms that use a fixed, pre-configured price are not affected by this issue. The vulnerability is classified under broken access control (OWASP A5, CWE-284) and has been assigned a CVSS score of 5.9 (medium severity).

Compliance Impact

This vulnerability may have implications for compliance with certain standards and regulations, depending on the context of your organization:

  • **GDPR (General Data Protection Regulation)**: While GDPR primarily focuses on data privacy and protection, financial fraud resulting from this vulnerability could lead to unauthorized access to personal or payment data. If such data is compromised due to exploitation, it may trigger GDPR reporting obligations or penalties for failing to implement adequate security measures.
  • **PCI DSS (Payment Card Industry Data Security Standard)**: If your organization processes payments via the SureForms plugin, this vulnerability could violate PCI DSS requirements for secure payment processing. Specifically, it may fail to meet controls related to access control (Requirement 7) and secure transaction validation (Requirement 6). Non-compliance with PCI DSS can result in fines or restrictions on payment processing capabilities.
  • **HIPAA (Health Insurance Portability and Accountability Act)**: HIPAA applies to organizations handling protected health information (PHI). If the SureForms plugin is used in a healthcare context (e.g., processing payments for medical services) and exploitation leads to unauthorized access to PHI, it could constitute a HIPAA violation. However, this vulnerability alone does not directly expose PHI unless payment forms are integrated with health-related data.

To mitigate compliance risks, organizations should update the plugin to the latest version (2.11.1 or later) and review their payment processing workflows for potential vulnerabilities.

Detection Guidance

To detect the vulnerability (CVE-2026-11567) on your WordPress site, you can follow these steps:

  • Check if the SureForms plugin is installed and its version is below 2.11.1. You can do this by navigating to the WordPress admin dashboard, then to 'Plugins' and looking for 'SureForms'. Alternatively, you can run the following command in the WordPress root directory to list installed plugins and their versions:
  • `wp plugin list | grep sureforms` (for WP-CLI users)
  • Inspect forms created with SureForms to identify if they use dynamically-sourced (variable/hidden) payment amounts. This requires reviewing the form configurations in the WordPress admin panel under 'SureForms' > 'Forms'. Look for forms where the payment amount is not fixed but instead sourced from a hidden field or variable.
  • Monitor network traffic or logs for unusual payment submissions where the amount does not match the expected fixed price. This may indicate exploitation attempts.

Since the proof of concept (PoC) will be disclosed on July 23, 2026, you may also look for public exploits or scanning tools that emerge after that date to test for the vulnerability.

Mitigation Strategies

To mitigate CVE-2026-11567, take the following immediate steps:

  • Update the SureForms plugin to version 2.11.1 or later as soon as possible. This is the most effective way to resolve the vulnerability. You can update the plugin via the WordPress admin dashboard under 'Plugins' or using WP-CLI with the command:
  • `wp plugin update sureforms`
  • If updating is not immediately possible, temporarily disable or remove forms that use dynamically-sourced payment amounts. Replace them with forms that use fixed payment amounts until the update is applied.
  • Monitor payment transactions closely for any discrepancies or underpayments, especially for forms that cannot be immediately updated or replaced.
  • Consider implementing additional server-side validation for payment amounts if you must continue using dynamically-sourced amounts temporarily. This may require custom code or consulting with a developer.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart