CVE-2026-9189
Deferred Deferred - Pending Action

Payment Bypass in Contact Form 7 PayPal Stripe Add-on

Vulnerability report for CVE-2026-9189, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-07-09
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
contact_form_7_paypal_stripe_add_on 2.4.9 to 2.4.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress has a vulnerability that allows attackers to bypass payment verification. Although the plugin validates the authenticity of PayPal IPN messages, it does not verify critical payment details such as the payment amount, currency, or receiver email against stored order information. Attackers can exploit this by sending a crafted IPN with a manipulated invoice field, causing the system to mark high-value pending orders as paid without receiving the full payment.

Impact Analysis

This vulnerability can allow unauthenticated attackers to fraudulently complete purchases by marking orders as paid without actually tendering the required payment amount. This can lead to financial losses, unauthorized access to goods or services, and potential disruption of business operations.

Compliance Impact

This vulnerability allows unauthenticated attackers to mark high-value pending orders as fully paid without tendering the required payment amount by exploiting insufficient verification of payment data.

Such unauthorized payment bypass could lead to financial discrepancies and potential fraudulent transactions, which may impact compliance with standards and regulations that require accurate transaction records and fraud prevention, such as PCI DSS.

However, there is no direct information provided about its impact on data privacy regulations like GDPR or HIPAA in the provided context.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart