CVE-2026-4986

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 09, 2026

Vendor unknown

Description

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

References

https://wpscan.com/vulnerability/1d99eed6-9a16-4d5a-90f9-ab604dfd5b92/