CVE-2026-4987
Published: 28 March 2026
Summary
CVE-2026-4987 is a high-severity Improper Input Validation (CWE-20) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-controlled inputs like the form_id parameter to prevent bypass of payment amount validation in the create_payment_intent function.
Mandates timely identification, reporting, and correction of flaws such as the improper validation in the SureForms plugin, enabling patching via the provided changeset.
Supports scanning for vulnerabilities like CVE-2026-4987 in WordPress plugins to identify and prioritize remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing WordPress plugin with unauthenticated remote input validation bypass (form_id=0) directly enables T1190 exploitation; payment amount manipulation facilitates T1657 financial theft via underpriced intents.
NVD Description
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation…
more
solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
Deeper analysisAI
CVE-2026-4987 is a Payment Amount Bypass vulnerability affecting the SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress in all versions up to and including 2.5.2. The issue stems from the create_payment_intent() function, which performs payment validation based solely on a user-controlled parameter. By setting the form_id parameter to 0, attackers can bypass configured form payment-amount validation. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-20 (Improper Input Validation). It was published on 2026-03-28.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation involves manipulating the form_id parameter during payment intent creation, allowing attackers to generate underpriced payment or subscription intents that bypass the intended amount restrictions set by form configurations.
Mitigation is addressed in the plugin's WordPress trac changeset 3488858, which likely includes the patch fixing the validation logic. Additional details and threat intelligence are available from Wordfence at their vulnerability page. Security practitioners should update to a version beyond 2.5.2 and review any existing SureForms payment forms for exposure.
Details
- CWE(s)