CVE-2025-12752 MEDIUM

CVE-2025-12752: Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation

Vendor Scottpaterson
Product Subscriptions & Memberships for PayPal
Weakness CWE-345
Published November 22, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create fake payment entries that have not actually occurred.

Explanation of Vulnerability in Simple Terms

02Summary

Subscriptions & Memberships for PayPal versions 1.1.7 and earlier contain an integrity vulnerability that allows unauthenticated attackers to modify data over the network. No user interaction is required. The vulnerability does not affect confidentiality or availability, but attackers can alter information processed by the plugin.

What an attacker can do

03Attacker Capabilities

Modify data processed by the plugin without authentication.

Potential impact on your site

04Site Impact

Attackers can alter subscription or payment data without logging in, potentially corrupting records or transactions.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 22, 2025 CVE published
April 8, 2026 Record updated