CVE-2026-4986
Description
WPForms Lite versions before 1.10.0.5 allow unauthenticated attackers to forge PayPal webhook events and manipulate payment states.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WPForms Lite versions before 1.10.0.5 allow unauthenticated attackers to forge PayPal webhook events and manipulate payment states.
Vulnerability
The WPForms Lite WordPress plugin before version 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events. This allows unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending forged PayPal webhook payloads to a vulnerable WordPress site. No specific user interaction or special privileges are required beyond network access to the site's webhook endpoint [1].
Impact
Successful exploitation allows an attacker to manipulate the payment state of arbitrary transactions within the WPForms plugin. This could lead to fraudulent order statuses, financial discrepancies, or other business logic flaws depending on how the payment state is used by the site owner.
Mitigation
The vulnerability is fixed in WPForms Lite version 1.10.0.5. Users are advised to update to this version or later to address the issue [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.10.0.5+ 1 more
- (no CPE)range: <1.10.0.5
- (no CPE)range: <1.10.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.