📄 Description (English)
The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration.
🤖 AI Executive Summary
MetForm Pro WordPress plugin versions up to 3.9.7 contain an improper input validation vulnerability in payment integrations (Stripe/PayPal) that allows unauthenticated attackers to manipulate payment amounts by submitting arbitrary values in the 'mf-calculation' field. This vulnerability enables financial fraud through price manipulation without authentication. While no patch is currently available, the medium CVSS score (5.3) reflects the requirement for specific form configuration, limiting but not eliminating risk exposure.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 30, 2026 02:19
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using MetForm Pro for e-commerce, payment processing, or online services face direct financial fraud risk. Most impacted sectors: Banking and Financial Services (payment gateway integrations), E-commerce platforms, Government digital services (GOSI, MOH online services), Telecommunications (STC, Mobily online billing), and Healthcare providers accepting online payments. Organizations relying on Stripe or PayPal integrations through MetForm Pro are at highest risk of revenue loss and transaction manipulation. The vulnerability is particularly concerning for SAMA-regulated entities processing financial transactions.
🏢 Affected Saudi Sectors
Banking and Financial Services
E-commerce and Retail
Government Digital Services
Healthcare Providers
Telecommunications
Insurance
Education (online payment systems)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all WordPress installations using MetForm Pro plugin and identify forms with Stripe/PayPal payment integrations
2. Disable or restrict access to affected forms until patched
3. Review transaction logs for suspicious payment amounts, particularly those deviating from configured prices
4. Implement Web Application Firewall (WAF) rules to block requests with suspicious 'mf-calculation' field values
Compensating Controls:
1. Implement server-side price validation: recompute all payment amounts server-side before processing with payment gateways
2. Add transaction verification: cross-reference submitted amounts against form configuration before payment processing
3. Enable payment gateway fraud detection and velocity checks
4. Implement rate limiting on payment form submissions
5. Add logging and alerting for price discrepancies between form configuration and submitted values
Detection Rules:
1. Monitor for POST requests to MetForm endpoints with 'mf-calculation' field values that don't match configured prices
2. Alert on payment transactions where submitted amount differs from expected form price
3. Track failed payment attempts with manipulated amounts
4. Monitor for repeated attempts to submit different 'mf-calculation' values from same IP/session
Patching:
1. Monitor MetForm Pro repository for security updates beyond version 3.9.7
2. Subscribe to plugin security advisories
3. Plan immediate upgrade upon patch availability
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم إضافة MetForm Pro وتحديد النماذج التي تحتوي على تكاملات دفع Stripe/PayPal
2. تعطيل أو تقييد الوصول إلى النماذج المتأثرة حتى يتم إصلاحها
3. مراجعة سجلات المعاملات للبحث عن مبالغ دفع مريبة، خاصة تلك التي تنحرف عن الأسعار المكونة
4. تنفيذ قواعد جدار الحماية لتطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على قيم مريبة في حقل 'mf-calculation'
الضوابط التعويضية:
1. تنفيذ التحقق من صحة السعر من جانب الخادم: إعادة حساب جميع مبالغ الدفع من جانب الخادم قبل المعالجة مع بوابات الدفع
2. إضافة التحقق من المعاملات: مقارنة المبالغ المقدمة مع تكوين النموذج قبل معالجة الدفع
3. تفعيل كشف الاحتيال في بوابة الدفع وفحوصات السرعة
4. تنفيذ تحديد معدل على تقديمات نموذج الدفع
5. إضافة تسجيل وتنبيهات للتناقضات في الأسعار بين تكوين النموذج والقيم المقدمة
قواعد الكشف:
1. مراقبة طلبات POST إلى نقاط نهاية MetForm بقيم حقل 'mf-calculation' التي لا تطابق الأسعار المكونة
2. التنبيه على معاملات الدفع حيث لا تطابق المبلغ المقدم السعر المتوقع للنموذج
3. تتبع محاولات الدفع الفاشلة بمبالغ معالجة
4. مراقبة محاولات متكررة لتقديم قيم 'mf-calculation' مختلفة من نفس IP/الجلسة
التصحيح:
1. مراقبة مستودع MetForm Pro للتحديثات الأمنية بعد الإصدار 3.9.7
2. الاشتراك في تنبيهات أمان الإضافة
3. التخطيط للترقية الفورية عند توفر التصحيح
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.2.1 - Input validation and data sanitization controls
5.3.1 - Application security and secure coding practices
6.1.1 - Vulnerability management and patch management
7.2.1 - Transaction integrity and non-repudiation
🔵 SAMA CSF
ID.GV-1 - Organizational cybersecurity policy and governance
PR.DS-1 - Data security and protection
PR.IP-1 - Security development and implementation practices
DE.CM-1 - Detection and monitoring of anomalies
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy
A.14.2.5 - Access control for program source code
A.12.6.1 - Management of technical vulnerabilities
A.12.2.1 - Monitoring of information systems
🟣 PCI DSS v4.0.1
6.5.1 - Injection flaws prevention
6.5.10 - Broken authentication
11.2.2 - Vulnerability scanning
12.2.1 - Security policies and procedures