The vulnerability in the MetForm Pro plugin stems from unvalidated user input in the 'mf-calculation' field during form submissions involving payment processing through Stripe or PayPal. The plugin trusts the submitted value without recomputing or validating it against the actual price set in the form configuration. This flaw can be exploited by unauthenticated attackers who can alter the payment amount in the transaction request, leading to potential financial losses for site owners who use the form for processing payments. This vulnerability is particularly concerning for any site that relies on financial transactions via these forms, as it undermines the integrity of pricing mechanisms. The trust placed in user-submitted values without verification is a common security oversight that can lead to severe exploitation if not adequately addressed.

Site administrators should immediately disable MetForm Pro plugin's payment functionalities until a patch is released. Review current forms' configurations to ensure there is no unnecessary exposure, and limit usage of calculation fields where possible. As a preventive measure, employ a web application firewall (WAF) to detect and block malicious form submission attempts.