Attack Vectors

MetForm Pro (slug: metform-pro) versions 3.9.7 and earlier are affected by CVE-2026-1782 (severity: Medium, CVSS 5.3). The issue can be exploited by an unauthenticated attacker (no login required) when your site uses a MetForm Pro form configured with payment integrations such as Stripe or PayPal and a calculation field.

An attacker can submit the form and manipulate the payment amount by altering the mf-calculation value included in the form submission REST request—but only if a specific form exists with this pricing/calculation configuration.

Security Weakness

The vulnerability is caused by improper input validation: the payment integrations trust a user-submitted calculation field value without recomputing or validating it against the form’s configured pricing. As a result, the amount used for payment can be influenced by what the user submits, rather than what the business intended to charge.

Reference: CVE-2026-1782. Source advisory: Wordfence vulnerability intelligence.

Technical or Business Impacts

The primary business risk is revenue loss: attackers may be able to pay less than the intended amount (including potentially near-zero amounts) for products, services, deposits, event tickets, or donations collected through impacted forms. This can also create pricing integrity issues that undermine marketing campaigns (discount codes, bundles, tiered offers) and reduce confidence in online checkout flows.

Operationally, finance and operations teams may face reconciliation overhead (disputes, refunds, manual corrections) and potential compliance and audit concerns if payment records do not align with advertised pricing, quotes, or contractual terms. While the CVSS rating indicates no direct confidentiality impact, the integrity impact is real: the charge amount may not reflect the configured business rules.

Remediation: Update MetForm Pro to version 3.9.8 or newer (patched). After updating, review any forms that use calculated pricing with Stripe/PayPal, and consider monitoring for mismatched order values (e.g., sudden low-value transactions) to identify potential prior abuse.

Similar attacks (real-world examples): Payment and price manipulation vulnerabilities have appeared across industries, including the 2018 Airtickets.ie pricing error case, the 2023 OWASP guidance on broken access control and parameter tampering, and the 2021 CISA alert archive highlighting recurring web application manipulation patterns.