CVE Catalog

CVE-2026-4986

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

7th percentile - higher than 7% of all known CVEs

Summary

The WPForms plugin for WordPress before version 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them. This allows unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

Risk Assessment

The lack of authenticity verification for webhooks can lead to unauthorized changes in payment transactions, posing financial risks to the organization.

Recommendation

It is recommended to update the WPForms plugin to version 1.10.0.5 or later to ensure proper verification of PayPal webhook events.

Original NVD description (English source)

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS