Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)
Summary
| CVE | CVE-2026-9189 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-29 09:16:18 UTC |
| Updated | 2026-05-29 13:09:05 UTC |
| Description | The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.000330000 probability, percentile 0.102300000 (date 2026-06-02)
Problem Types: CWE-345 | CWE-345 CWE-345 Insufficient Verification of Data Authenticity
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Scottpaterson | Contact Form 7 PayPal Stripe Add-on | affected 2.4.9 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.wordfence.com/threat-intel/vulnerabilities/id/5e274781-1c20-4224-bc10-26dad... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.6/includes/paym... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.6/includes/paym... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.8/includes/paym... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.8/includes/paym... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.8/includes/paym... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.6/includes/paym... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/changeset/3551197/contact-form-7-paypal-add-on | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Muni Nitish Kumar Yaddala (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-05-21T15:22:09.000Z | Vendor Notified |
| CNA | 2026-05-28T19:54:04.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.