CVE-2026-42655

Vulnerability

The Best Payments Plugin for WP (wordpress plugin wp-payment-form) versions up to and including 4.6.19 contain an unauthenticated payment bypass vulnerability. This flaw allows an attacker to manipulate payment verification logic, effectively completing transactions without actual payment. No authentication or special configuration is required for the vulnerable code path to be reachable.

Exploitation

An unauthenticated attacker with network access to a WordPress site running the vulnerable plugin can exploit this vulnerability. By crafting a request that bypasses the payment gateway's confirmation callback, the attacker can force the order status to be marked as paid. The exact request manipulation details are not publicly disclosed, but the vulnerability resides in the plugin's order processing flow.

Impact

Successful exploitation results in an attacker obtaining products or services without making a payment. This leads to financial loss for the site owner. The integrity of the order records is compromised, as unpaid orders are recorded as completed. The attacker does not gain other privileges or access beyond the unpaid purchase.

Mitigation

The vendor has released a patched version; all users must update the Best Payments Plugin for WP to version 4.6.20 or later immediately. As of the publication date, no workaround is available other than updating. This vulnerability is listed on Patchstack and has been used in mass-exploit campaigns, making prompt application of the fix critical [1].