CVE-2025-10309: 
WordPress vulnerability analysis and mitigation

The PayPal Forms plugin for WordPress (versions up to 1.0.3) was identified with a Cross-Site Request Forgery (CSRF) vulnerability, assigned CVE-2025-10309. The vulnerability was discovered by Nabil Irawan and publicly disclosed on October 2, 2025. This security issue affects the form creation and management functions of the plugin (NVD Database).

The vulnerability stems from missing nonce validation in the form creation and management functions. It has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD Database, Wordfence).

When exploited, this vulnerability allows unauthenticated attackers to create new PayPal forms and modify PayPal payment settings through forged requests. The attack requires social engineering to trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD Database).

Website administrators running affected versions of the PayPal Forms plugin (1.0.3 and below) should update to a patched version when available. In the meantime, administrators should exercise caution when clicking on links while logged into their WordPress dashboard (NVD Database).