Home

Description

The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.

PUBLISHED Reserved 2026-06-08 | Published 2026-07-14 | Updated 2026-07-14 | Assigner WPScan

Problem types

CWE-284 Improper Access Control

Product status

Default status
unaffected

Any version before 2.11.1
affected

Credits

Yaswanth Reddy Sunkara finder

WPScan coordinator

References

wpscan.com/...rability/bd738da7-f950-4da9-bcc1-c1fe845d7faa/ exploit vdb-entry technical-description

cve.org (CVE-2026-11567)

nvd.nist.gov (CVE-2026-11567)

Download JSON