Medium severity5.3NVD Advisory· Published May 2, 2024· Updated Apr 15, 2026

CVE-2024-3649

Description

The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3075634nvd
plugins.trac.wordpress.org/changeset/3075634/wpforms-lite/trunk/assets/js/integrations/stripe/wpforms-stripe-payment-element.jsnvd
www.wordfence.com/threat-intel/vulnerabilities/id/68a509ae-9943-4b9a-8ede-2b5732e96e6dnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000