CVE-2026-1782
Description
The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MetForm Pro ≤3.9.7 allows unauthenticated payment amount manipulation via unvalidated 'mf-calculation' field in Stripe/PayPal integrations.
Root
Cause
The MetForm Pro plugin for WordPress, up to version 3.9.7, suffers from an improper input validation vulnerability in its payment integrations for Stripe and PayPal. The plugin trusts user-submitted calculation field values (via the 'mf-calculation' field) without recomputing or validating them against the configured form price [1]. This oversight allows an attacker to supply a manipulated value for the payment amount.
Exploitation
An unauthenticated attacker can exploit this by sending a specially crafted REST request to the form submission endpoint. The attack requires that the form includes a calculation field configured to compute the payment amount. No authentication is needed, and the attacker only needs network access to the WordPress site. The 'mf-calculation' field value is accepted as-is, enabling the attacker to set an arbitrary payment amount.
Impact
By manipulating the payment amount, an attacker can pay less than the intended price or even zero for products or services purchased through the form. This could lead to financial loss for the site owner and undermines the integrity of the payment process.
Mitigation
The vendor has not yet released a patched version, but users are advised to disable the calculation field in payment forms or apply input validation measures. Updating to a future version beyond 3.9.7 is recommended once available [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026