Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.
AnalysisAI
Missing authorization in ZealousWeb's Accept PayPal Payments using Contact Form 7 plugin (versions up to 4.0.4) allows unauthenticated remote attackers to modify payment-related data through incorrectly configured access controls. The vulnerability exposes WordPress sites using this plugin to unauthorized alterations of sensitive payment information without requiring user authentication, though the EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability despite network accessibility.
Technical ContextAI
This is a broken access control vulnerability (CWE-862) in a WordPress plugin that integrates PayPal payment processing with Contact Form 7, a popular form builder. The plugin fails to properly validate authorization checks before allowing modification of payment-related operations, meaning the application does not verify whether a user has permission to perform sensitive actions. The vulnerability exists in the plugin's handling of access control security levels, which are inadequately enforced at the application logic layer. WordPress plugins are server-side PHP code executed in the context of a WordPress installation, and missing authorization checks are a fundamental flaw where the plugin accepts requests without confirming the requestor's identity or role.
RemediationAI
Update the Accept PayPal Payments using Contact Form 7 plugin to a version newer than 4.0.4; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/contact-form-7-paypal-extension/vulnerability/wordpress-accept-paypal-payments-using-contact-form-7-plugin-4-0-4-broken-access-control-vulnerability?_s_id=cve) for the specific patched version number, as the exact fix version is not provided in this analysis. As an interim measure, disable the plugin or restrict PayPal payment processing functionality if the patched version is unavailable. Additionally, review WordPress user role configurations and Contact Form 7 permissions to ensure only authorized administrators and form managers can modify payment-related form settings. Monitor PayPal transaction logs for unauthorized modifications of payment amounts, statuses, or recipient addresses that could indicate exploitation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20414
GHSA-fpf5-vrpj-m573