Skip to main content

WPForms EUVDEUVD-2026-34954

| CVE-2026-7792 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-06 Wordfence GHSA-46hc-3pvv-7xv3
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 03:55 vuln.today
CVE Published
Jun 06, 2026 - 02:28 nvd
MEDIUM 5.3

DescriptionCVE.org

The WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.

AnalysisAI

Unauthenticated webhook forgery in WPForms (wpforms-lite ≤1.10.0.1) enables payment fraud by allowing any remote attacker who knows a valid PayPal subscription_id to manipulate subscription payment records - including forcing a cancelled or suspended subscription back to active status - without any credentials or user interaction. The PayPal Commerce webhook endpoint accepts and acts on arbitrary JSON POST payloads, performing no HMAC-SHA256 origin verification, and trusts attacker-supplied resource data once the event_type field passes a whitelist check. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the zero-complexity attack path makes independent exploitation straightforward for anyone possessing a valid subscription_id.

Technical ContextAI

The affected component is the PayPal Commerce webhook integration within wpforms-lite (CPE: cpe:2.3:a:smub:wpforms_-_easy_form_builder_for_wordpress_-_contact_forms,_payment_forms,_surveys,_&_more:*:*:*:*:*:*:*:*). PayPal's Commerce platform requires webhook recipients to validate an HMAC-SHA256 signature transmitted in the request headers, computed from the raw payload body using a secret known only to the legitimate recipient - this is the standard cryptographic mechanism to prove that a webhook originated from PayPal infrastructure. In WPForms ≤1.10.0.1, the WebhookRoute.php handler (lines L122 and L170 in the SVN repository) skips this verification entirely. The only gate applied is a check that the supplied event_type value appears in a whitelist, after which the attacker-controlled resource object from the JSON body is passed verbatim to downstream handlers including BillingSubscriptionActivated.php:L38 and BillingSubscriptionCancelled.php:L32, which update subscription payment records based on the untrusted data. CWE-345 (Insufficient Verification of Data Authenticity) precisely describes this root cause: the system acts on data claiming to originate from a trusted third party (PayPal) without cryptographically proving that claim.

RemediationAI

Upgrade wpforms-lite to version 1.10.0.4 or later immediately; this version is confirmed patched based on the WordPress plugin SVN changeset 3532389, which modifies WebhookRoute.php to add proper HMAC-SHA256 signature verification before any payload processing. WordPress site operators can update via the Plugins dashboard or WP-CLI (wp plugin update wpforms-lite). If immediate upgrade is not feasible, the most effective compensating control is to disable the PayPal Commerce payment integration in WPForms settings (WPForms > Settings > Payments > PayPal Commerce), which prevents the vulnerable webhook endpoint from receiving any external traffic; the trade-off is that PayPal Commerce payment processing will be suspended until the patch is applied. A secondary control - configuring WAF rules to restrict POST access to the wpforms PayPal webhook route exclusively to known PayPal IP ranges - is possible but operationally fragile, as PayPal's egress IP space can change without notice and requires ongoing maintenance. References: Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d5cf5fd2-58c7-42d0-948f-95764647630b; patched code at https://plugins.trac.wordpress.org/changeset/3532389/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-34954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy