CVE-2026-4986
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
The WPForms plugin for WordPress before version 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them. This allows unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.
Risk Assessment
The lack of authenticity verification for webhooks can lead to unauthorized changes in payment transactions, posing financial risks to the organization.
Recommendation
It is recommended to update the WPForms plugin to version 1.10.0.5 or later to ensure proper verification of PayPal webhook events.
Original NVD description (English source)
The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

