CVE-2026-9189
Deferred Deferred - Pending Action
Payment Bypass in Contact Form 7 PayPal Stripe Add-on

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-9189
EUVD
EUVD-2026-33265
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
contact_form_7_paypal_stripe_add_on 2.4.9 to 2.4.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress has a vulnerability that allows attackers to bypass payment verification. Although the plugin validates the authenticity of PayPal IPN messages, it does not verify critical payment details such as the payment amount, currency, or receiver email against stored order information. Attackers can exploit this by sending a crafted IPN with a manipulated invoice field, causing the system to mark high-value pending orders as paid without receiving the full payment.

Impact Analysis

This vulnerability can allow unauthenticated attackers to fraudulently complete purchases by marking orders as paid without actually tendering the required payment amount. This can lead to financial losses, unauthorized access to goods or services, and potential disruption of business operations.

Compliance Impact

This vulnerability allows unauthenticated attackers to mark high-value pending orders as fully paid without tendering the required payment amount by exploiting insufficient verification of payment data.

Such unauthorized payment bypass could lead to financial discrepancies and potential fraudulent transactions, which may impact compliance with standards and regulations that require accurate transaction records and fraud prevention, such as PCI DSS.

However, there is no direct information provided about its impact on data privacy regulations like GDPR or HIPAA in the provided context.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart