CVE-2026-9189 | The Contact Form 7 – PayPal & Stripe Add-on plugin for WordP… | CVSS 5.3 MEDIUM

Description

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.

Metadata

CVE ID: CVE-2026-9189
State: PUBLISHED
Assigner: Wordfence
Reserved: 2026-05-21 15:06 UTC
Published: 2026-05-29 08:28 UTC
Last updated: 2026-05-29 10:04 UTC
Primary CWE: CWE-345
CWE-345 Insufficient Verification of Data Authenticity
Vendor / Product: scottpaterson / Contact Form 7 – PayPal & Stripe Add-on
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
scottpaterson	Contact Form 7 – PayPal & Stripe Add-on	—	0 ≤ 2.4.9

Weakness (CWE)

CWE	Source	Description
CWE-345	cna	CWE-345 Insufficient Verification of Data Authenticity

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (8)