CVE-2026-4986

MEDIUM

WPForms Lite < 1.10.0.5 – Unauthenticated PayPal Webhook Forgery

Title source: cna
STIX 2.1

Description

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

References (1)

Core 1
Core References
Exploit exploit vdb-entry technical-description
https://wpscan.com/vulnerability/1d99eed6-9a16-4d5a-90f9-ab604dfd5b92/

Scores

CVSS v3 5.3
EPSS 0.0020
EPSS Percentile 9.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
None/WPForms 1.10.0.1 - 1.10.0.5
Published Jun 09, 2026
Tracked Since Jun 09, 2026