CVE-2025-12752
BaseFortify
Publication date: 2025-11-22
Last updated on: 2025-11-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| paypal | subscriptions_and_memberships | 1.1.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Subscriptions & Memberships for PayPal plugin for WordPress allows unauthenticated attackers to create fake payment entries because the plugin does not properly verify the authenticity of an IPN (Instant Payment Notification) request. This means attackers can make the system believe a payment was made when it actually was not.
How can this vulnerability impact me? :
This vulnerability can lead to the creation of fraudulent payment records, potentially causing financial discrepancies, loss of revenue, and trust issues. It may allow attackers to gain unauthorized access to services or memberships by faking payment confirmations.
What immediate steps should I take to mitigate this vulnerability?
Update the Subscriptions & Memberships for PayPal plugin for WordPress to a version later than 1.1.7 where the vulnerability is fixed. Until then, consider disabling the plugin or restricting access to IPN endpoints to trusted sources to prevent unauthenticated fake payment creation.