CVE-2024-3649

Name of the Vulnerable Software and Affected Versions The Contact Form by WPForms – Drag & Drop Form Builder for WordPress versions up to, and including, 1.8.7.2

Description The issue is related to price manipulation due to a lack of controls on several product parameters. This allows unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.

Recommendations For versions up to, and including, 1.8.7.2, update to a version that includes the necessary controls on product parameters to prevent price manipulation. As a temporary workaround, consider restricting access to the Stripe payment integration until a patch is available.