CVE-2026-11567
The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variabl
CVSS
5.9
Medium
EPSS
0.2%
p8
KEV
—
Exploit Today
2
0-100
Published: Jul 14, 2026 · Last modified: Jul 14, 2026
0.1%EPSS · 30 days0.2%
2026-07-142026-07-17
The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced (variable/hidden) payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not affected.
No related CVEs by CWE or product.