TLDR WPForms Lite is a WordPress form plugin with around 6 million active installs. Versions 1.10.0.1 through 1.10.0.4 ship a PayPal Commerce webhook handler that accepts events from anyone on the internet. No signature check. No shared secret. No callback to PayPal. Send a forged JSON body to /wp-json/wpforms/ppc/webhooks and you can flip any pending order from “processed” to “completed”, which fires every downstream action the site has set up: digital downloads, license key emails, membership grants, CRM integrations, custom hooks.