CVE-2026-7792: WPForms PayPal Webhook Forgery Vulnerability – Subscription Fraud Risk
The WPForms plugin for WordPress is vulnerable to webhook forgery that allows attackers to impersonate PayPal and manipulate subscription payment records. An attacker who knows a subscription ID can craft fake PayPal webhook messages to reactivate cancelled subscriptions, change payment status, or modify other subscription details—all without needing to authenticate or access PayPal itself. The vulnerability exists because the plugin accepts webhook payloads without verifying they actually came from PayPal using the required cryptographic signature check.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-345
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.
14 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7792 is an insufficient data authenticity verification flaw in the WPForms PayPal Commerce webhook handler (affecting versions up to 1.10.0.1). The vulnerable endpoint processes incoming JSON webhooks without validating the HMAC-SHA256 signature that PayPal appends to legitimate requests. Instead, the code performs only a whitelist check on the event_type field before passing attacker-supplied resource data to payment record handlers. This allows an unauthenticated threat actor with knowledge of a valid subscription_id to forge webhook events—such as subscription.updated or payment.capture.completed payloads—and trigger state changes in the plugin's subscription database. The underlying weakness is classified as CWE-345 (Insufficient Verification of Data Authenticity).
Business impact
Organizations running WPForms with PayPal Commerce integration face revenue leakage and customer service disruption. Attackers could reactivate expired or cancelled subscriptions without payment, effectively converting paid subscriptions into free access. This creates revenue loss, potential chargeback disputes, and compliance issues if subscription records diverge from actual payment collection. Additionally, modified payment records may trigger false reconciliation alerts or incorrect financial reporting. Affected sites with high subscription volumes could experience significant operational overhead as teams investigate anomalous payment state changes and manually correct records.
Affected systems
The WPForms – Easy Form Builder for WordPress plugin in versions up to and including 1.10.0.1 is vulnerable. Any WordPress installation using WPForms with the PayPal Commerce payment gateway enabled is potentially at risk. The vulnerability applies regardless of whether the site actively processes subscriptions, since the webhook endpoint is live and accessible once PayPal integration is configured. Verify your installed version in the WordPress plugin dashboard or check the version string in wp-content/plugins/wpforms/wpforms.php.
Exploitability
Exploitability is straightforward for attackers with basic technical knowledge. No authentication, user interaction, or special network access is required. An attacker needs only to identify a valid subscription_id (which may be discoverable through reconnaissance or leaked customer data) and craft an HTTP POST request to the vulnerable webhook endpoint with forged JSON payload and a spoofed event_type. The attack surface is network-wide and unauthenticated, reflected in the CVSS score of 5.3 (MEDIUM, vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). However, the impact is limited to integrity of payment records; no data confidentiality or service availability is directly compromised. The vulnerability is not yet tracked in the CISA Known Exploited Vulnerabilities catalog, but the simplicity of exploitation means defensive action should not be delayed pending public proof-of-concept.
Remediation
Update WPForms to a version that implements proper HMAC-SHA256 webhook signature verification. The plugin maintainers have been notified and should release a patched version; check the official WPForms plugin page or your WordPress admin dashboard for available updates. In addition to updating, verify that PayPal webhook events are being validated against the webhook signing secret configured in your PayPal account settings. If you cannot update immediately, consider temporarily disabling PayPal Commerce integration or restricting webhook endpoint access via Web Application Firewall rules that validate incoming request signatures before they reach the plugin.
Patch guidance
Apply updates as soon as they become available through the WordPress plugin management interface. After updating, conduct a manual audit of recent subscription state changes (reactivations, status modifications) in your payment records to identify any unauthorized alterations that may have occurred while the vulnerability was present. Cross-reference suspicious changes against actual PayPal transaction logs and customer communication records. If your site processes high-volume subscriptions, consider monitoring webhook processing logs for unusual event patterns (e.g., multiple subscription reactivations from the same IP or within short timeframes) that may indicate exploitation attempts.
Detection guidance
Monitor your web server and WordPress logs for POST requests to the WPForms PayPal Commerce webhook endpoint. Look for requests that contain subscription.updated or payment.capture.completed events with subscription_status field values that differ from what PayPal's API reports for that subscription_id. Implement webhook signature validation at the Web Application Firewall layer if possible to drop unsigned or invalidly signed requests before they reach the application. Check your PayPal account's webhook event logs to compare legitimate webhook timestamps and event ordering against your WordPress payment records; gaps or inconsistencies may indicate forged events. Consider enabling additional audit logging in WPForms or via a WordPress security plugin to track all subscription state changes and their originating source.
Why prioritize this
Although the CVSS score is MEDIUM (5.3), this vulnerability warrants priority patching because it directly enables revenue fraud with no attacker authentication, low technical complexity, and clear business impact for any organization operating subscription services. The attack surface is the public-facing webhook endpoint, and the adversary only needs a valid subscription identifier to begin exploitation. The lack of signature verification is a fundamental control failure rather than an edge-case logic flaw. Organizations with mature subscription billing operations should treat this as a high-priority remediation target.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects an unauthenticated network attack with low complexity and a focus on integrity impact (modification of payment records). The score does not account for business context: for a subscription-based service, the ability to forge payment events is a critical revenue control failure. The lack of CIA confidentiality or availability impact limits the numeric score, but the functional impact (fraudulent subscription reactivation) is substantial. Security teams should consider this a higher operational priority than the numeric CVSS suggests, especially for organizations dependent on recurring billing.
Frequently asked questions
Can an attacker reactivate any subscription, or do they need specific information?
An attacker needs to know or guess a valid subscription_id associated with the PayPal subscription in question. Subscription IDs may be exposed through data breaches, customer service interactions, or reconnaissance against publicly available payment pages. Once a subscription_id is known, the attacker can forge webhook events affecting that subscription without possessing PayPal account credentials.
Does this vulnerability allow the attacker to steal payment card information or customer data?
No. The vulnerability is limited to forging webhook events that modify subscription state fields in the plugin's database. It does not provide access to stored payment credentials, customer personal information, or transaction history. The impact is integrity of the subscription record, not confidentiality of sensitive data.
If I update WPForms, will my payment records automatically be corrected?
Updating the plugin fixes the vulnerability going forward, but it does not automatically audit or correct records that may have been forged before the patch was applied. You should manually review recent subscription state changes (especially reactivations and status updates) and cross-reference them against your actual PayPal transaction logs to identify and remediate any unauthorized changes.
Do I need to disable PayPal integration until a patch is available?
Disabling PayPal integration will prevent new subscriptions but may also prevent legitimate webhook processing. A more targeted approach is to monitor webhook activity closely and implement WAF rules or IP restrictions to limit access to the webhook endpoint until a patch is available. Contact WPForms support for guidance on temporary mitigations.
This analysis is provided for educational and defensive security purposes. The vulnerability details and affected version ranges are based on official CVE data and vendor advisories current as of the publication date. Organizations should verify patch availability and compatibility with their specific WordPress installation before applying updates. No liability is assumed for loss or damage resulting from the use or misuse of this information. Always test patches in a staging environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-46538MEDIUMMicrosoft UFO Cross-Device Task Result Injection (CVSS 5.9)
- CVE-2026-47696MEDIUMWWBN AVideo AuthorizeNet Payment Bypass—Wallet Fraud Vulnerability
- CVE-2026-8608MEDIUMEvent Monster WordPress Plugin Payment Forgery Vulnerability
- CVE-2026-9189MEDIUMContact Form 7 PayPal Add-on Payment Bypass Vulnerability
- CVE-2022-4992HIGHDräger Infinity M540 Patient Monitor Network Message Vulnerability
- CVE-2026-41577HIGHAuthentik SAML Assertion Validation Bypass (CWE-345)
- CVE-2026-47123HIGHFreeScout Email Spoofing Vulnerability – High-Severity Patch Available
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts