CVE-2026-9189

Vulnerability

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress, in all versions up to and including 2.4.9, contains a payment bypass vulnerability in the PayPal IPN handler (cf7pp_paypal_ipn_handler()) located in /includes/payments/paypal_handler.php. The handler correctly validates IPN authenticity by posting back to PayPal with cmd=_notify-validate [1][3], but it fails to compare the IPN payload's mc_gross (payment amount), mc_currency, or receiver_email fields against the corresponding stored order values. Instead, it passes the attacker-controlled invoice field directly to cf7pp_complete_payment(), which only performs an integer cast on the payment ID and verifies the post type and pending status, with no amount verification [1][2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by first making a minimal real PayPal payment (e.g., $0.01) to a store using the plugin and capturing the resulting IPN parameters. The attacker then crafts a forged IPN notification where the invoice parameter references the ID of a high-value pending order (e.g., $100), while keeping the mc_gross at the minimal amount. By sending this crafted IPN to the plugin's REST API IPN endpoint, the cf7pp_ipn_handler() validates the payload via PayPal's verification service (which will confirm the minimal payment as valid) and then calls cf7pp_complete_payment() with the targeted order ID [3][4]. The function marks the order as completed without checking that the payment amount matches the order's expected amount [1][2].

Impact

Successful exploitation allows an unauthenticated attacker to mark arbitrary high-value pending orders as fully paid, effectively bypassing the required payment amount. This enables attackers to complete purchases (e.g., digital goods, services) without tendering the full price, resulting in financial loss for the merchant and unauthorized acquisition of products or services.

Mitigation

As of the publication date (2026-05-29), no patched version has been released for the Contact Form 7 – PayPal & Stripe Add-on plugin. The vulnerability affects all versions up to and including 2.4.9. Users should monitor the plugin's update channel for a fixed release. In the interim, site administrators can consider disabling the PayPal IPN callback or implementing custom validation of IPN mc_gross, mc_currency, and receiver_email against stored order metadata, though no official workaround is provided in the references. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.