The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.
WPForms plugin versions up to 1.10.0.1 fail to verify PayPal webhook signatures, allowing unauthenticated attackers to forge webhook events and manipulate payment records. Attackers can reactivate cancelled subscriptions or modify payment data by knowing a valid subscription ID.
يفتقد مكون WPForms للتحقق من توقيع webhook PayPal المطلوب، مما يسمح للمهاجمين بتزوير أحداث webhook وتعديل سجلات الدفع. يمكن للمهاجمين إعادة تفعيل الاشتراكات الملغاة أو المعلقة أو تعديل بيانات الدفع الأخرى باستخدام معرف اشتراك صحيح معروف.
WPForms plugin versions up to 1.10.0.1 fail to verify PayPal webhook signatures, allowing unauthenticated attackers to forge webhook events and manipulate payment records. Attackers can reactivate cancelled subscriptions or modify payment data by knowing a valid subscription ID.
Update WPForms plugin to version 1.10.1 or later immediately. Implement webhook signature verification using HMAC-SHA256 validation. Restrict webhook endpoint access to known PayPal IP addresses. Monitor payment records for unauthorized modifications and review subscription status changes.
قم بتحديث مكون WPForms إلى الإصدار 1.10.1 أو أحدث فوراً. تطبيق التحقق من توقيع webhook باستخدام التحقق من HMAC-SHA256. تقييد وصول نقطة نهاية webhook لعناوين IP المعروفة من PayPal. مراقبة سجلات الدفع للتعديلات غير المصرح بها ومراجعة تغييرات حالة الاشتراك.