Description
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Contact Form 7 – PayPal & Stripe Add‑on contains a flaw in its IPN handler that authenticates the PayPal message but does not compare the transaction amount, currency, or receiver email to the values stored for the order before marking it complete. As a result, an unauthenticated attacker can trigger a minimal real payment with PayPal, craft a custom IPN that references an existing high‑value pending order, and cause the plugin to mark that order as paid. This is an example of insufficient verification of data authenticity (CWE‑345).

Affected Systems

WordPress sites using the Contact Form 7 – PayPal & Stripe Add‑on from scottpaterson. All plugin versions up to and including 2.4.9 are vulnerable. No other vendors or product families are affected by this specific flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity, and it is not listed in the CISA KEV catalog. The EPSS score is not available, so the current exploitation probability cannot be quantified. The likely attack vector involves an attacker sending a forged PayPal IPN after making a small real payment; given that the IPN handler offers no authentication for the payload beyond the basic POST‑back check, the vulnerability can be exploited by anyone who can reach the PayPal IPN endpoint on the target site.

Generated by OpenCVE AI on May 29, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Contact Form 7 – PayPal & Stripe Add‑on to the latest release (any version newer than 2.4.9).
  • If an update is not possible immediately, disable the IPN handling endpoint or modify the handler to reject IPNs that do not verify the mc_gross, mc_currency, and receiver_email against the stored order values before calling cf7pp_complete_payment().
  • Monitor order completion logs for high‑value orders completed with payments that appear too small and revoke any suspicious orders manually. That will provide a temporary safety net while the issue is resolved.

Generated by OpenCVE AI on May 29, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Scottpaterson
Scottpaterson contact Form 7 – Paypal & Stripe Add-on
Wordpress
Wordpress wordpress
Vendors & Products Scottpaterson
Scottpaterson contact Form 7 – Paypal & Stripe Add-on
Wordpress
Wordpress wordpress

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.
Title Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Scottpaterson Contact Form 7 – Paypal & Stripe Add-on
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:04:53.551Z

Reserved: 2026-05-21T15:06:53.761Z

Link: CVE-2026-9189

cve-icon Vulnrichment

Updated: 2026-05-29T10:04:47.955Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T09:16:18.560

Modified: 2026-05-29T13:09:05.450

Link: CVE-2026-9189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:21Z

Weaknesses