What is GHSA-xjpm-62p5-jw4j?

GHSA-xjpm-62p5-jw4j is a security advisory published by GitHub Security Advisories with Medium severity. The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal...

Which CVE IDs does GHSA-xjpm-62p5-jw4j cover?

GHSA-xjpm-62p5-jw4j covers the following CVE IDs: CVE-2026-4986. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-xjpm-62p5-jw4j?

GHSA-xjpm-62p5-jw4j has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

GHSA-xjpm-62p5-jw4jMediumCVSS 5.3

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal...

Vendor

GitHub Security Advisories

Published

June 9, 2026

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2026-4986 →

📋 Description

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-4986
https://wpscan.com/vulnerability/1d99eed6-9a16-4d5a-90f9-ab604dfd5b92
https://github.com/advisories/GHSA-xjpm-62p5-jw4j