Nixpkgs security tracker

Untriaged

Permalink CVE-2026-4986

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 6 days, 18 hours ago Activity log

Created suggestion 6 days, 18 hours ago

WPForms Lite < 1.10.0.5 – Unauthenticated PayPal Webhook Forgery

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

References

https://wpscan.com/vulnerability/1d99eed6-9a16-4d5a-90f9-ab604dfd5b92/ exploitvdb-entrytechnical-description

Affected products

WPForms

<1.10.0.5

Matching in nixpkgs

pkgs.wordpressPackages.plugins.wpforms-lite

None

nixos-unstable 1.9.9.2
- nixpkgs-unstable 1.9.9.2
- nixos-unstable-small 1.9.9.2
nixos-26.05 1.9.9.2
- nixos-26.05-small 1.9.9.2
- nixpkgs-26.05-darwin 1.9.9.2

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.wordpressPackages.plugins.wpforms-lite