CVE-2025-12752
Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create fake payment entries that have not actually occurred.
| CWE | CWE-345 |
| Vendor | scottpaterson |
| Product | subscriptions & memberships for paypal |
| Published | Nov 22, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for scottpaterson subscriptions & memberships for paypal
Be the first to know when new medium vulnerabilities affecting scottpaterson subscriptions & memberships for paypal are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
scottpaterson / Subscriptions & Memberships for PayPal
0 โค 1.1.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/8f706b78-2d67-442c-b7a0-7d7a0fd24b2d?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/subscriptions-memberships-for-paypal/trunk/includes/public_ipn.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397608%40subscriptions-memberships-for-paypal&new=3397608%40subscriptions-memberships-for-paypal&sfp_email=&sfph_mail=
Credits
Md. Moniruzzaman Prodhan