PatchSiren cyber security CVE debrief
CVE-2026-4986 WPForms CVE debrief
CVE-2026-4986 is a MEDIUM-severity vulnerability in the WPForms WordPress plugin. The plugin did not properly validate the authenticity of incoming PayPal webhook events prior to processing them. This could allow an unauthenticated attacker to forge webhook payloads and manipulate the payment state of arbitrary transactions.
- Vendor
- WPForms
- Product
- WPForms WordPress plugin
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of the WPForms WordPress plugin, particularly those who use PayPal webhooks for payment processing, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions. The vulnerability has a CVSS score of 5.3 and is classified as CWE-862.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the WPForms plugin to version 1.10.0.5 or later.
- Verify the authenticity of incoming PayPal webhook events before processing them.
Evidence notes
The CVE record was published on [resourceLinkAnnotations:cve-org] and additional details can be found on [resourceLinkAnnotations:nvd]. A source reference is available at [resourceLinkAnnotations:ref-4].
Official resources
-
CVE-2026-4986 CVE record
CVE.org
-
CVE-2026-4986 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-4986 was published on 2026-06-09T06:16:53.797Z and modified on 2026-06-09T14:16:44.693Z.