Description
The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and management functions. This makes it possible for unauthenticated attackers to create new PayPal forms and modify PayPal payment settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized creation and alteration of PayPal payment forms
Action: Apply Patch
AI Analysis

Impact

The PayPal Forms WordPress plugin allows unauthenticated attackers to construct new PayPal payment forms and modify existing payment settings because the plugin fails to validate nonces on form creation and management operations. This flaw enables an attacker to alter how payments are processed on a site, potentially redirecting funds, collecting sensitive information, or disabling legitimate transaction flows. The core weakness is a missing CSRF nonce, which is a documented cross‑site request forgery vulnerability (CWE‑352).

Affected Systems

Platform: WordPress plugin named PayPal Forms from vendor bsmye. All releases up to and including version 1.0.3 are affected. The vulnerability is present in the form creation and management features accessed by site administrators.

Risk and Exploitability

The overall CVSS score is 4.3, indicating a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the flaw is not listed in the CISA KEV catalog. The attack requires the attacker to lure an administrator into submitting a crafted request, for example by clicking a malicious link. Once the request is processed, the attacker can create or alter PayPal payment forms without authentication. The expected impact is limited to compromised transaction configuration rather than full system compromise, but it can lead to financial loss or exposure of payment data if configuration changes allow illicit funds to be routed elsewhere. The risk is moderate, with exploitation likely constrained to environments where administrators do not exercise stringent click‑through vetting and where the plugin is installed in its vulnerable state.

Generated by OpenCVE AI on April 22, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PayPal Forms plugin to a patch release that includes the nonce validation fix
  • If an upgrade cannot be performed immediately, limit administrative access and ensure that any form‑creation or payment‑setting URLs are protected by a strict anti‑CSRF mechanism such as same‑site cookies or additional authentication guards
  • Deploy a security plugin or web‑application firewall rule that blocks or requires confirmation for unauthenticated state‑changing requests to the PayPal Forms endpoints

Generated by OpenCVE AI on April 22, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32265 The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and management functions. This makes it possible for unauthenticated attackers to create new PayPal forms and modify PayPal payment settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Bsmye
Bsmye paypal Forms
Wordpress
Wordpress wordpress
Vendors & Products Bsmye
Bsmye paypal Forms
Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and management functions. This makes it possible for unauthenticated attackers to create new PayPal forms and modify PayPal payment settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title PayPal Forms <= 1.0.3 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Bsmye Paypal Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:05.902Z

Reserved: 2025-09-11T22:49:58.682Z

Link: CVE-2025-10309

cve-icon Vulnrichment

Updated: 2025-10-03T18:12:41.424Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:42.647

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:15:20Z

Weaknesses