CVE-2026-9189 MEDIUM

CVE-2026-9189: Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)

Vendor Scottpaterson
Product Contact Form 7 – PayPal & Stripe Add-on
Weakness CWE-345
Published May 29, 2026
Last update May 29, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.

Explanation of Vulnerability in Simple Terms

02Summary

The Contact Form 7 – PayPal & Stripe Add-on through version 2.4.9 contains an integrity vulnerability that allows unauthenticated attackers to modify data over the network without user interaction. The vulnerability stems from insufficient input validation or access controls. Site administrators should update to a version newer than 2.4.9 to mitigate the risk.

What an attacker can do

03Attacker Capabilities

Modify data on the site without authentication or user interaction.

Potential impact on your site

04Site Impact

Form submissions or payment-related data could be altered by attackers without your knowledge.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user action required.

Key dates

06Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated