CVE-2026-9189

Summary

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although cf7pp_paypal_ipn_handler() correctly validates IPN authenticity by posting back to PayPal with cmd=_notify-validate, it fails to compare the IPN payload's mc_gross (payment amount), mc_currency, or receiver_email fields against the corresponding stored order values before passing the attacker-controlled invoice field directly to cf7pp_complete_payment(), which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose invoice parameter references the targeted order, effectively completing purchases without tendering the required payment amount.

Affected Software

VendorProductVersion RangeStatus
scottpatersonContact Form 7 – PayPal & Stripe Add-on0 <= 2.4.9affected

Weaknesses

  • CWE-345: CWE-345 Insufficient Verification of Data Authenticity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References