CVE-2026-7792 in WPForms Plugin
Summary
by MITRE • 06/06/2026
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/06/2026
The WPForms plugin for WordPress presents a critical security vulnerability classified as insufficient verification of data authenticity, affecting versions up to and including 1.10.0.1. This weakness stems from the plugin's PayPal Commerce webhook endpoint implementation which fails to validate the origin of incoming JSON payloads through proper authentication mechanisms. The vulnerability operates at the intersection of inadequate input validation and weak cryptographic verification, creating an attack surface where malicious actors can manipulate payment records without proper authorization. The flaw specifically impacts the webhook processing logic that handles PayPal Commerce notifications, where the system accepts unauthenticated requests and processes them without establishing the legitimate source through required HMAC-SHA256 signature verification.
The technical implementation of this vulnerability demonstrates a clear breakdown in the security architecture of the plugin's payment processing workflow. When PayPal sends webhook notifications to the WPForms endpoint, the system performs only a basic whitelist validation of the event_type parameter while completely bypassing the cryptographic signature verification that PayPal mandates for security. This approach violates fundamental security principles outlined in CWE-287, which addresses authentication failures in authentication and authorization systems. The absence of proper signature verification allows attackers to craft malicious webhook requests that appear to originate from PayPal, effectively bypassing the intended security controls. The vulnerability operates under the ATT&CK framework's privilege escalation and defense evasion techniques, as attackers can manipulate subscription status without direct access to administrative interfaces.
The operational impact of this vulnerability extends beyond simple data manipulation to potentially enable unauthorized financial transactions and subscription management. Attackers who possess knowledge of valid PayPal subscription_ids can forge webhook events to modify subscription payment records, including reactivating cancelled or suspended subscriptions by simply setting the subscription_status parameter to active. This capability represents a significant threat to both businesses and end users, as it allows unauthorized parties to restore access to services they should not have access to. The vulnerability creates opportunities for revenue loss, subscription abuse, and potential fraud, particularly affecting businesses that rely on subscription-based payment models. The attack vector is particularly concerning because it requires minimal credentials - only knowledge of a valid subscription_id rather than administrative access or payment credentials.
Security mitigations for this vulnerability should focus on implementing proper webhook signature verification using the HMAC-SHA256 algorithm as specified by PayPal's documentation. The plugin must validate incoming requests by generating the expected HMAC-SHA256 signature based on the request payload and comparing it with the signature provided in the request headers. This approach aligns with industry best practices for webhook security and addresses the root cause of the authentication failure. Additionally, the implementation should include robust input validation and sanitization of all webhook parameters, ensuring that even if an attacker bypasses signature verification, the system cannot be easily exploited to manipulate payment records. Organizations should also implement monitoring and alerting mechanisms to detect unauthorized webhook activity and maintain proper logging of all subscription status changes. The fix should be implemented according to security standards such as those defined in the OWASP Top Ten and NIST cybersecurity frameworks, ensuring that the solution provides adequate protection against similar vulnerabilities in the future.