Primary

Context

WPForms WordPress Plugin PayPal Webhook Forgery Vulnerability

Vulnerability

Patched

A vulnerability exists in the WPForms WordPress plugin in versions prior to 1.10.0.5, where the plugin fails to authenticate incoming PayPal webhook events before processing them. This flaw allows unauthenticated attackers to create fake webhook payloads and alter the payment status of any transaction.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of payment states for transactions processed through PayPal.

Remediation

Users are advised to update the WPForms WordPress plugin to version 1.10.0.5 or later.

Added: Jun 9, 2026, 6:48 AM

Updated: Jun 9, 2026, 6:48 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

8.9

remediation

7.7

relevance

9.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

8.9

remediation

7.7

relevance

9.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WPForms WordPress Plugin PayPal Webhook Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

WPForms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating