CVE-2026-39707
Missing Authorization in Contact Form 7 PayPal Extension
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zealousweb | accept_paypal_payments_using_contact_form_7 | to 4.0.4 (inc) |
| zealousweb | contact_form_7_paypal_extension | to 4.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39707 is a Broken Access Control vulnerability in the WordPress plugin "Accept PayPal Payments using Contact Form 7" versions up to and including 4.0.4.
This vulnerability allows unauthenticated users to perform actions that should require higher privileges because of missing authorization, authentication, or nonce token checks in certain functions.
It is classified under OWASP Top 10 A1: Broken Access Control.
How can this vulnerability impact me? :
The vulnerability has a CVSS severity score of 5.3, indicating a low priority and low severity impact.
Although it is unlikely to be exploited with significant impact, attackers could use it in mass-exploit campaigns targeting many websites indiscriminately.
Exploitation could allow unauthorized users to perform privileged actions that should normally be restricted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in the WordPress plugin "Accept PayPal Payments using Contact Form 7" versions up to 4.0.4, allowing unauthenticated users to perform privileged actions.
Detection typically requires reviewing the plugin version installed on your WordPress site to confirm if it is version 4.0.4 or lower.
Since this is a web application vulnerability, network-level commands may not directly detect it, but you can check the plugin version via WP-CLI with the following command:
- wp plugin list --status=active
Look for "accept-paypal-payments-using-contact-form-7" in the output and verify its version. If it is 4.0.4 or lower, the site is vulnerable.
Additionally, monitoring web server logs for unusual unauthenticated POST requests to plugin endpoints related to PayPal payments or Contact Form 7 may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected plugin to a version that addresses the vulnerability if such an update is available.
Since no official patch is currently available for this vulnerability, alternative steps include:
- Contact your hosting provider or web developer to implement temporary access control measures or custom patches.
- Restrict access to the plugin's functionality by limiting permissions or disabling the plugin if it is not essential.
- Monitor your site for suspicious activity and unauthorized access attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unauthenticated users to perform actions requiring higher privileges due to missing authorization checks.
Such access control weaknesses can potentially lead to unauthorized access to sensitive data or functionality, which may impact compliance with standards like GDPR or HIPAA that require strict access controls and protection of personal or health information.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.