Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.
AnalysisAI
Unauthenticated webhook forgery in WPForms (wpforms-lite ≤1.10.0.1) enables payment fraud by allowing any remote attacker who knows a valid PayPal subscription_id to manipulate subscription payment records - including forcing a cancelled or suspended subscription back to active status - without any credentials or user interaction. The PayPal Commerce webhook endpoint accepts and acts on arbitrary JSON POST payloads, performing no HMAC-SHA256 origin verification, and trusts attacker-supplied resource data once the event_type field passes a whitelist check. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the zero-complexity attack path makes independent exploitation straightforward for anyone possessing a valid subscription_id.
Technical ContextAI
The affected component is the PayPal Commerce webhook integration within wpforms-lite (CPE: cpe:2.3:a:smub:wpforms_-_easy_form_builder_for_wordpress_-_contact_forms,_payment_forms,_surveys,_&_more:*:*:*:*:*:*:*:*). PayPal's Commerce platform requires webhook recipients to validate an HMAC-SHA256 signature transmitted in the request headers, computed from the raw payload body using a secret known only to the legitimate recipient - this is the standard cryptographic mechanism to prove that a webhook originated from PayPal infrastructure. In WPForms ≤1.10.0.1, the WebhookRoute.php handler (lines L122 and L170 in the SVN repository) skips this verification entirely. The only gate applied is a check that the supplied event_type value appears in a whitelist, after which the attacker-controlled resource object from the JSON body is passed verbatim to downstream handlers including BillingSubscriptionActivated.php:L38 and BillingSubscriptionCancelled.php:L32, which update subscription payment records based on the untrusted data. CWE-345 (Insufficient Verification of Data Authenticity) precisely describes this root cause: the system acts on data claiming to originate from a trusted third party (PayPal) without cryptographically proving that claim.
RemediationAI
Upgrade wpforms-lite to version 1.10.0.4 or later immediately; this version is confirmed patched based on the WordPress plugin SVN changeset 3532389, which modifies WebhookRoute.php to add proper HMAC-SHA256 signature verification before any payload processing. WordPress site operators can update via the Plugins dashboard or WP-CLI (wp plugin update wpforms-lite). If immediate upgrade is not feasible, the most effective compensating control is to disable the PayPal Commerce payment integration in WPForms settings (WPForms > Settings > Payments > PayPal Commerce), which prevents the vulnerable webhook endpoint from receiving any external traffic; the trade-off is that PayPal Commerce payment processing will be suspended until the patch is applied. A secondary control - configuring WAF rules to restrict POST access to the wpforms PayPal webhook route exclusively to known PayPal IP ranges - is possible but operationally fragile, as PayPal's egress IP space can change without notice and requires ongoing maintenance. References: Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d5cf5fd2-58c7-42d0-948f-95764647630b; patched code at https://plugins.trac.wordpress.org/changeset/3532389/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34954
GHSA-46hc-3pvv-7xv3