Description
The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.
Problem types
CWE-284 Improper Access Control
Product status
Any version before 2.11.1
Credits
Yaswanth Reddy Sunkara
WPScan
References
wpscan.com/...rability/bd738da7-f950-4da9-bcc1-c1fe845d7faa/