Skip to main content

Accept Paypal Payments Using Contact Form 7 CVE-2026-39707

| EUVDEUVD-2026-20414 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-fpf5-vrpj-m573
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20414
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.

AnalysisAI

Missing authorization in ZealousWeb's Accept PayPal Payments using Contact Form 7 plugin (versions up to 4.0.4) allows unauthenticated remote attackers to modify payment-related data through incorrectly configured access controls. The vulnerability exposes WordPress sites using this plugin to unauthorized alterations of sensitive payment information without requiring user authentication, though the EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability despite network accessibility.

Technical ContextAI

This is a broken access control vulnerability (CWE-862) in a WordPress plugin that integrates PayPal payment processing with Contact Form 7, a popular form builder. The plugin fails to properly validate authorization checks before allowing modification of payment-related operations, meaning the application does not verify whether a user has permission to perform sensitive actions. The vulnerability exists in the plugin's handling of access control security levels, which are inadequately enforced at the application logic layer. WordPress plugins are server-side PHP code executed in the context of a WordPress installation, and missing authorization checks are a fundamental flaw where the plugin accepts requests without confirming the requestor's identity or role.

RemediationAI

Update the Accept PayPal Payments using Contact Form 7 plugin to a version newer than 4.0.4; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/contact-form-7-paypal-extension/vulnerability/wordpress-accept-paypal-payments-using-contact-form-7-plugin-4-0-4-broken-access-control-vulnerability?_s_id=cve) for the specific patched version number, as the exact fix version is not provided in this analysis. As an interim measure, disable the plugin or restrict PayPal payment processing functionality if the patched version is unavailable. Additionally, review WordPress user role configurations and Contact Form 7 permissions to ensure only authorized administrators and form managers can modify payment-related form settings. Monitor PayPal transaction logs for unauthorized modifications of payment amounts, statuses, or recipient addresses that could indicate exploitation.

Share

CVE-2026-39707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy