WordPress Plugin Vulnerabilities

WPForms Lite < 1.10.0.5 – Unauthenticated PayPal Webhook Forgery

Description

The plugin does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

Proof of Concept

Affects Plugins

Plugin icon
wpforms-lite
Fixed in 1.10.0.5

References

CVE
CVE-2026-4986

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Sudhanshu Chauhan [RedHunt Labs]
Submitter
Sudhanshu Chauhan [RedHunt Labs]
Submitter website
https://redhuntlabs.com/
Submitter twitter
Sudhanshu_C
Verified
Yes
WPVDB ID
1d99eed6-9a16-4d5a-90f9-ab604dfd5b92

Timeline

Publicly Published
2026-05-19 (about 21 days ago)
Added
2026-05-19 (about 20 days ago)
Last Updated
2026-05-19 (about 20 days ago)

Other

Published
Title
Published
2024-05-20
Title
Crafthemes Demo Import <= 3.3 - Missing Authorization to Arbitrary Plugin Installation
Published
2025-06-19
Title
Import YouTube videos as WP Posts <= 2.1 - Missing Authorization
Published
2025-06-25
Title
Post Carousel Slider for Elementor < 1.7.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function
Published
2026-02-17
Title
SiteOrigin Widgets Bundle < 1.71.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2024-03-11
Title
LadiApp <= 4.4 - Missing Authorization via save_config()