cleantalk
Vulnerabilities and Security Researches

Contact Form by WPForms – Drag & Drop Form Builder for WordPress, CVE-2026-4986

CVE, Research URL

CVE-2026-4986

Home page URL

Security reports for Contact Form by WPForms – Drag & Drop Form Builder for WordPress

Application

Contact Form by WPForms – Drag & Drop Form Builder for WordPress

Published on
Jun 09, 2026
Research Description
The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.
Affected versions
max 1.10.0.5.
Status
vulnerable
Previous vulnerability researches
Helpfulcrowd Product Reviews (CVE-2026-8499) , Jun 11, 2026
New vulnerability
Contact Form by WPForms – Drag & Drop Form Builder for WordPress (CVE-2026-4986) , Jun 11, 2026
Spam protection, Anti-Spam, FireWall by CleanTalk (CVE-2026-8071) , Jun 11, 2026
Recover Exit For WooCommerce (CVE-2026-9662) , Jun 11, 2026
Montonio for WooCommerce (CVE-2026-48873) , Jun 11, 2026
Background Image Cropper (CVE-2024-58348) , Jun 11, 2026