MEDIUM
WPForms
CVE published 2026-06-09
CVE-2026-4986
CVE-2026-4986 is a MEDIUM-severity vulnerability in the WPForms WordPress plugin. The plugin did not properly validate the authenticity of incoming PayPal webhook events prior to processing them. This could allow an unauthenticated attacker to forge webhook payloads and manipulate the payment state of arbitrary transactions.