What is Insufficient Verification of Data Authenticity?
Insufficient Verification of Data Authenticity is a type of vulnerability that occurs when an application fails to properly verify the authenticity of data it receives. This can allow attackers to send fake or malicious data to the application, which can then be processed as if it were legitimate.
The CVE-2026-7792 Vulnerability
The WPForms – Easy Form Builder for WordPress plugin is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. The vulnerability is caused by the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature. The endpoint only checks whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records.
How is this Vulnerability Exploited?
Unauthenticated attackers who know a valid PayPal subscription_id can exploit this vulnerability by forging PayPal webhook events and modifying subscription payment records. For example, an attacker could reactivate a cancelled or suspended subscription by setting its subscription_status to active.
What can be Done to Prevent this Vulnerability?
To prevent this vulnerability, users should update the WPForms plugin to a version that is not vulnerable. Additionally, users should ensure that they are using secure and verified data sources, and implement proper verification and validation of data authenticity.