CVE-2026-7792
WPForms PayPal Webhook Signature Bypass Vulnerability
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpforms | easy_form_builder | to 1.10.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WPForms plugin for WordPress, specifically in versions up to and including 1.10.0.1. It involves the PayPal Commerce webhook endpoint, which processes JSON webhook payloads without properly verifying their authenticity. The plugin fails to check that the webhook requests actually come from PayPal by not verifying the required HMAC-SHA256 webhook signature. Instead, it only checks if the event_type is whitelisted before using the data. This flaw allows unauthenticated attackers who know a valid PayPal subscription_id to forge webhook events and manipulate subscription payment records.
For example, an attacker could reactivate a cancelled or suspended subscription by setting its subscription_status to active, thereby bypassing normal payment and subscription controls.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized modification of subscription payment records in the WPForms plugin. Specifically, attackers can forge PayPal webhook events to reactivate cancelled or suspended subscriptions without proper payment.
This can result in financial loss due to users gaining access to paid services without paying, disruption of subscription management, and potential damage to business reputation.