WPForms Price Manipulation in <=1.8.7.2 via Stripe Integration
CVE-2024-3649 Published on May 2, 2024
Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation
The Contact Form by WPForms Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.
Timeline
Disclosed
Weakness Type
What is an Assumed-Immutable Parameter Tampering Vulnerability?
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
CVE-2024-3649 has been classified to as an Assumed-Immutable Parameter Tampering vulnerability or weakness.
Products Associated with CVE-2024-3649
stack.watch emails you whenever new vulnerabilities are published in Wpforms or WordPress Contact Form Drag Drop Form Builder. Just hit a watch button to start following.
Affected Versions
smub WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More:- Before and including 1.8.7.2 is affected.
- Version -, <= 1.8.7.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.