Attack Vectors

The vulnerability affects Stripe payment forms built with SureForms – Drag and Drop Form Builder for WordPress (slug: sureforms) in versions up to and including 2.2.1. Because it is unauthenticated and rated High severity (CVSS 7.5), an attacker does not need a user account to attempt exploitation over the internet.

In practical terms, an attacker can submit a payment form while altering the payment amount in the background request. The plugin is described as accepting the payment amount directly from user-controlled POST data in the create_payment_intent and create_subscription_intent functions, rather than enforcing the price configured in the form. This opens a path to paying an arbitrary amount (including very low values) for items or services that should cost more.

Security Weakness

This issue is categorized as Improper Input Validation in SureForms versions <= 2.2.1. The weakness is not that Stripe itself is insecure, but that the plugin’s server-side logic is described as trusting a value supplied by the visitor (the amount) instead of validating it against the form’s configured price before creating a payment or subscription intent.

From a risk perspective, the key point is that pricing can be influenced by an external party if the application accepts “customer-provided” amounts without strict checks. With a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, the rating highlights that the main impact is to integrity (I:H)—meaning business rules like pricing and billing correctness can be undermined.

Technical or Business Impacts

Revenue loss and margin erosion: If attackers can manipulate the Stripe payment amount, they may purchase products, bookings, memberships, or services at a fraction of the intended price. Even a small number of successful transactions can meaningfully impact revenue and distort marketing ROI reporting.

Operational disruption: Teams may spend time investigating mismatched orders, reconciling Stripe records, issuing refunds, or handling customer disputes. Finance and operations may also need to review whether any subscriptions were created at incorrect pricing.

Compliance and audit risk: For organizations with compliance obligations, inaccurate billing and order records can raise audit and reporting concerns. It can also create internal control issues around pricing governance—especially if the payment flow is used for regulated services or contractual commitments.

Brand and customer trust impact: Payment irregularities can trigger customer confusion, public complaints, or negative reviews. Even if the attacker is the only “beneficiary,” downstream customer service friction can harm brand perception and retention.

Who should act and what to do now: If you use SureForms for Stripe payments, prioritize updating to version 2.2.2 (or a newer patched version) as the recommended remediation. After updating, review recent Stripe transactions and subscription creations for anomalies that could indicate manipulated amounts.

Similar Attacks

Price and payment manipulation through client-controlled values is a common pattern across e-commerce and payment integrations. Here are a few real-world examples that show how business logic weaknesses can lead to fraud or revenue-impacting abuse:

HackerOne report example: client-side parameter manipulation leading to payment/price abuse

OWASP: Parameter Tampering (how attackers change values in requests)

OWASP: Business Logic Vulnerabilities (realistic impacts and patterns)