What is CVE-2026-4986?

CVE-2026-4986 is a medium-severity vulnerability, classified under Missing Authorization. CVSS score: 5.3/10. Published 2026-06-09.

How severe is CVE-2026-4986?

Medium severity. CVSS v3 base score is 5.3 out of 10.

CVE-2026-4986

CVE-2026-4986

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbit…

Vulnerability class: Broken Access Control

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

contact@wpscan.com

Frequently asked questions

What is CVE-2026-4986?: CVE-2026-4986 is a medium-severity vulnerability, classified under Missing Authorization. CVSS score: 5.3/10. Published 2026-06-09.
How severe is CVE-2026-4986?: Medium severity. CVSS v3 base score is 5.3 out of 10.