Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.

Back to Feed View Plugin Hub Open CVE Reference

Published

May 28, 2026

Last Updated

May 28, 2026

Slug

contact-form-7-paypal-add-on

Risk Profile

5.3 CVSS Score

Weakness

Insufficient Verification of Data Authenticity

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Researchers

Stranger825

Operational Summary

What the operator needs to know

Share Email

Patch Status

Patched release is available

Remediation

Update to version 2.4.10, or a newer patched version

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/5e274781-1c20-4224-bc10-26dadb9b1e07?source=api-prod

Detailed Metadata

Software Type	Plugin
Software Slug	contact-form-7-paypal-add-on View on wordpress.org
CVE	CVE-2026-9189
Patched Versions	2.4.10
Affected Versions	*-2.4.9

Licensing Notices

This record contains material that is subject to copyright

DEFIANT

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more

MITRE

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more