CVE-2026-7792 Overview
CVE-2026-7792 affects the WPForms – Easy Form Builder plugin for WordPress in all versions up to and including 1.10.0.1. The vulnerability resides in the PayPal Commerce webhook endpoint, which processes unauthenticated JSON webhook payloads without verifying the required HMAC-SHA256 signature. The endpoint only checks whether the supplied event_type is whitelisted before dispatching attacker-controlled resource data to handlers that update payment records. Unauthenticated attackers who know a valid PayPal subscription_id can forge webhook events and modify subscription payment records.
Critical Impact
Attackers can reactivate cancelled or suspended subscriptions by setting subscription_status to active, manipulating payment state without authentication.
Affected Products
- WPForms – Easy Form Builder for WordPress (wpforms-lite) versions up to and including 1.10.0.1
- PayPal Commerce integration component (WebhookRoute.php)
- WordPress sites using WPForms with PayPal subscription payments
Discovery Timeline
- 2026-06-06 - CVE-2026-7792 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-7792
Vulnerability Analysis
The flaw is classified under [CWE-345: Insufficient Verification of Data Authenticity]. The WPForms PayPal Commerce integration exposes a REST webhook endpoint defined in src/Integrations/PayPalCommerce/Api/WebhookRoute.php. PayPal requires webhook consumers to validate inbound events using an HMAC-SHA256 signature derived from a shared webhook ID and PayPal's certificate. The vulnerable route omits this verification.
Incoming JSON payloads are accepted, parsed, and routed based solely on a whitelist check of the event_type field. Handlers such as BillingSubscriptionActivated and BillingSubscriptionCancelled then operate on the attacker-supplied resource object, including the subscription_id and subscription_status fields, to mutate stored payment records.
Root Cause
The root cause is missing cryptographic verification of webhook authenticity. The plugin trusts the structure and content of any HTTP request reaching the webhook URL. There is no validation that the request originated from PayPal, no replay protection, and no correlation between the request signature and the merchant's PayPal webhook secret.
Attack Vector
An unauthenticated remote attacker sends a crafted POST request to the plugin's public PayPal webhook endpoint. The request body contains a whitelisted event_type such as BILLING.SUBSCRIPTION.ACTIVATED and a resource block referencing a known subscription_id. The handler updates the corresponding subscription record in the WordPress database, for example flipping a cancelled subscription back to active. Knowledge of a valid subscription_id is the only prerequisite, and these identifiers can leak through emails, logs, or guessable formats.
No verified public proof-of-concept code is available. See the Wordfence Vulnerability Report and the WordPress Changeset #3532389 for technical details.
Detection Methods for CVE-2026-7792
Indicators of Compromise
- Unexpected POST requests to the WPForms PayPal Commerce webhook route without a corresponding PAYPAL-TRANSMISSION-SIG header or with malformed signature headers.
- Subscription state transitions in WPForms entries where a cancelled or suspended subscription returns to active with no matching PayPal merchant-side event.
- Webhook deliveries originating from IP addresses outside PayPal's published webhook source ranges.
Detection Strategies
- Monitor web server access logs for requests to /wp-json/wpforms/ paths referencing paypal-commerce or webhook routes, and correlate with PayPal's webhook event log to find unsourced events.
- Audit the WPForms entries database for subscription_status field changes that lack a corresponding signed PayPal transmission ID.
- Deploy WAF rules that block requests to the WPForms PayPal webhook endpoint missing PayPal transmission headers (PAYPAL-TRANSMISSION-ID, PAYPAL-TRANSMISSION-SIG, PAYPAL-CERT-URL).
Monitoring Recommendations
- Alert on any reactivation of previously cancelled subscriptions that does not correlate with a PayPal-side event ID.
- Track request volume to the PayPal webhook endpoint and flag anomalies suggesting enumeration of subscription_id values.
- Forward WordPress and webhook logs to a centralized analytics platform for cross-source correlation against PayPal merchant API event history.
How to Mitigate CVE-2026-7792
Immediate Actions Required
- Update the WPForms plugin to a version newer than 1.10.0.1 that includes the fix from WordPress Changeset #3532389.
- Review WPForms PayPal subscription records for unauthorized state changes since the plugin was installed.
- Rotate PayPal webhook IDs and shared secrets after patching to invalidate any reconnaissance data.
Patch Information
The maintainers addressed the issue in the WPForms codebase via changeset 3532389, which adds HMAC-SHA256 signature verification to the PayPal Commerce webhook route. Site administrators should upgrade through the WordPress plugin updater or pull the fixed version directly from the WordPress Plugin Directory.
Workarounds
- Restrict access to the WPForms PayPal webhook endpoint at the WAF or reverse proxy layer, allowing only PayPal's documented webhook source IP ranges.
- Temporarily disable the PayPal Commerce integration in WPForms if upgrading is not immediately possible.
- Enforce request validation at the edge by requiring presence of PAYPAL-TRANSMISSION-SIG and PAYPAL-CERT-URL headers before forwarding to WordPress.
# Example NGINX rule to require PayPal signature headers on the webhook route
location ~* /wp-json/wpforms/.*paypal.*webhook {
if ($http_paypal_transmission_sig = "") { return 403; }
if ($http_paypal_cert_url !~* "^https://api\.paypal\.com/") { return 403; }
proxy_pass http://wordpress_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
