Description
Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Payment Processing
Action: Update Plugin
AI Analysis

Impact

A missing authorization flaw in the ZealousWeb "Accept PayPal Payments using Contact Form 7" extension lets a user bypass intended access controls to trigger payment processing actions. The weakness, identified as CWE-862, could enable an attacker to execute payments or modify payment settings without proper privileges, compromising the integrity and confidentiality of financial transactions.

Affected Systems

All installations of the ZealousWeb Accept PayPal Payments using Contact Form 7 WordPress plugin up to and including version 4.0.4 are vulnerable. The vulnerability targets the plugin’s configuration and payment execution paths within the WordPress environment.

Risk and Exploitability

No EPSS score is available and the issue is not listed in CISA’s KEV catalog, indicating limited publicly known exploitation data. Based on the description, it is inferred that the likely attack vector is through the WordPress web interface, exploiting incorrectly configured role or capability checks; only users who can access the plugin settings could leverage the flaw. The CVSS severity is not provided, but the potential to disrupt or fabricate payments represents a high-severity risk for sites relying on this extension.

Generated by OpenCVE AI on April 8, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Accept PayPal Payments using Contact Form 7 to the latest available version (e.g., 4.0.5 or newer).
  • Ensure that only trusted administrators or users with elevated roles can access payment configuration pages and modify settings.
  • Audit WordPress user roles and capabilities to confirm that payment-related permissions are properly restricted.
  • After applying the patch, monitor site logs for anomalous payment requests or configuration changes that may indicate prior exploitation.

Generated by OpenCVE AI on April 8, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.
Title WordPress Accept PayPal Payments using Contact Form 7 plugin <= 4.0.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:47.904Z

Reserved: 2026-04-07T10:58:22.476Z

Link: CVE-2026-39707

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:43.490

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:40:11Z

Weaknesses