[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQxZaatDLFpyfVfjQsWoRwNRXYgMsTd4XOs2GfU800sA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":9,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":32},"CVE-2026-1782","metform-pro-unauthenticated-payment-amount-manipulation-via-mf-calculation","MetForm Pro \u003C= 3.9.7 - Unauthenticated Payment Amount Manipulation via 'mf-calculation'","The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation  in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe\u002FPayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration.","metform-pro",null,"\u003C=3.9.7","3.9.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Input Validation","2026-04-14 19:59:33","2026-04-15 08:28:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa49dd64b-6ae8-49ed-9e8a-e5b73c2acf4b?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1782 (MetForm Pro Price Manipulation)\n\n## 1. Vulnerability Summary\nThe **MetForm Pro** plugin (up to version 3.9.7) contains a vulnerability that allows unauthenticated users to manipulate payment amounts. When a form is configured to use a calculation field (`mf-calculation`) for the total price in Stripe or PayPal integrations, the plugin fails to verify the calculated total on the server side. Instead, it trusts the value sent in the `mf-calculation` parameter of the form submission REST request.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002Fmetform\u002Fv1\u002Fentries\u002Finsert\u002F{form_id}` (or similar REST route used for form submission).\n- **Vulnerable Parameter:** `mf-calculation` (and potentially specific field IDs prefixed with `mf-field-calculation-`).\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** \n    1. A MetForm must be published containing a \"Calculation\" field.\n    2. The form must have Stripe or PayPal payment integration enabled.\n    3. The payment settings must be configured to use the calculation field as the total price.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The user submits a form. This triggers a request to the MetForm REST API handler, typically registered via `register_rest_route` in `metform-pro\u002Finc\u002Fapi\u002Fentry.php`.\n2.  **Processing:** The submission handler (e.g., `insert_entry`) processes the fields.\n3.  **Payment Initialization:** If payment is enabled, the plugin invokes the payment gateway logic (e.g., `metform-pro\u002Finc\u002Fpayment\u002Fstripe-handler.php`).\n4.  **Vulnerability:** The payment handler retrieves the amount to charge. It looks for the value of the calculation field provided in the request:\n    ```php\n    $amount = $request->get_param('mf-calculation'); \u002F\u002F Vulnerable line\n    \u002F\u002F Or it might use the specific field key\n    ```\n5.  **Sink:** The unvalidated `$amount` is passed directly to the Stripe\u002FPayPal API to create a checkout session or order.\n\n## 4. Nonce Acquisition Strategy\nMetForm typically requires a REST nonce for submissions, localized via `wp_localize_script`.\n\n1.  **Identify Script\u002FVariable:** MetForm often uses the variable `mf_data` or `metform_rest_obj`.\n2.  **Create Test Page:**\n    - Use WP-CLI to create a page containing a MetForm shortcode:\n      `wp post create --post_type=page --post_status=publish --post_content='[metform form_id=\"123\"]' --post_title='Payment Form'`\n3.  **Navigate and Extract:**\n    - Use `browser_navigate` to the created page.\n    - Use `browser_eval` to extract the nonce:\n      ```javascript\n      \u002F\u002F Common MetForm localization patterns\n      window.metform_rest_obj?.nonce || window.mf_data?.nonce\n      ```\n4.  **Action String:** The nonce is usually for the `wp_rest` action.\n\n## 5. Exploitation Strategy\n### Step 1: Form Identification\nFind an existing form ID that has calculation and payment enabled. If creating a test environment, note the `form_id`.\n\n### Step 2: Extract Parameters\nSubmit a legitimate form once while monitoring the network tab to see the exact structure of the JSON payload. It usually includes:\n- `form_id`: The ID of the form.\n- `mf-calculation`: The total price.\n- `mf-field-calculation-XXXX`: The specific field value.\n\n### Step 3: Manipulate and Submit\nPerform a `POST` request to the REST endpoint with a manipulated price.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-json\u002Fmetform\u002Fv1\u002Fentries\u002Finsert\u002F[form_id]`\n- **Method:** `POST`\n- **Headers:**\n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [extracted_nonce]`\n- **Payload:**\n    ```json\n    {\n      \"form_id\": \"[form_id]\",\n      \"mf-calculation\": \"0.01\",\n      \"mf-field-calculation-123\": \"0.01\",\n      \"other_fields\": \"data\"\n    }\n    ```\n\n### Step 4: Verification of Manipulation\nThe response from a successful submission usually contains a redirect URL to Stripe or PayPal.\n- **Expected Response:** `200 OK` or `302` containing a `payment_url`.\n- **Validation:** Inspect the `payment_url`. If it is a Stripe Checkout link, navigate to it and verify the price displayed is $0.01 instead of the configured price.\n\n## 6. Test Data Setup\n1.  **Install MetForm Pro 3.9.7.**\n2.  **Configure Stripe\u002FPayPal:** Enable \"Test Mode\" in the plugin settings to avoid real transactions.\n3.  **Create a Form:**\n    - Add a \"Number\" field (Price).\n    - Add a \"Calculation\" field (set formula to the Number field's value).\n    - Enable Stripe in the \"Payment\" tab and select the \"Calculation\" field as the \"Total Price\".\n4.  **Publish:** Add the form to a public WordPress page using the `[metform id=\"...\"]` shortcode.\n\n## 7. Expected Results\n- **Success:** The plugin returns a payment session URL where the total amount matches the attacker-provided `mf-calculation` value rather than the server-calculated value.\n- **Failure:** The plugin returns an error, or the payment session URL reflects the correct price (indicating server-side re-calculation).\n\n## 8. Verification Steps\n1.  **Capture Response:** Store the `payment_url` returned by the `http_request`.\n2.  **Browser Check:** Use `browser_navigate(\"[payment_url]\")`.\n3.  **Inspect DOM:** Use `browser_eval` to check the price displayed on the Stripe\u002FPayPal checkout page.\n    - Example for Stripe: `document.querySelector('.Checkout-TotalAmount').innerText`\n\n## 9. Alternative Approaches\n- **Parameter Variation:** If `mf-calculation` is ignored, try targeting the specific field ID found in the HTML source (e.g., `name=\"mf-field-calculation-789\"`).\n- **Request Format:** If `application\u002Fjson` fails, try `application\u002Fx-www-form-urlencoded`.\n- **Form Action:** Check if the form submits to `admin-ajax.php` instead of the REST API in older configurations; if so, the action is likely `metform_entries_insert`.","MetForm Pro (up to version 3.9.7) is vulnerable to payment amount manipulation because it trusts the user-submitted 'mf-calculation' value during form submission. Unauthenticated attackers can override the intended price of a product or service by providing a lower value in the REST API request, which is then passed directly to Stripe or PayPal gateways.","\u002F\u002F Inferred from metform-pro\u002Finc\u002Fapi\u002Fentry.php or payment handlers\n\u002F\u002F The plugin retrieves the amount directly from the request parameters without server-side validation\n$amount = $request->get_param('mf-calculation');","1. Identify a WordPress site using MetForm Pro with a form that has a 'Calculation' field linked to Stripe or PayPal payments.\n2. Extract the REST API nonce from the frontend source code (usually located in the 'metform_rest_obj' or 'mf_data' JavaScript objects).\n3. Identify the 'form_id' and the specific field names (e.g., 'mf-calculation' and 'mf-field-calculation-XXXX') used by the form.\n4. Send a POST request to the endpoint '\u002Fwp-json\u002Fmetform\u002Fv1\u002Fentries\u002Finsert\u002F{form_id}' using the extracted nonce in the 'X-WP-Nonce' header.\n5. Include a JSON payload where the 'mf-calculation' parameter is set to a manipulated price (e.g., '0.01').\n6. Follow the 'payment_url' returned in the JSON response to confirm the payment gateway (Stripe\u002FPayPal) is requesting the manipulated amount.","gemini-3-flash-preview","2026-04-16 15:37:14","2026-04-16 15:37:34",{"type":33,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":34},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmetform-pro\u002Ftags"]