216.73.216.170

CVE-2026-9189

· Published 29/05/2026 09:16 · Modified 29/05/2026 13:09

Labels: CVE-2026-9189 2026-05-29CVE-2026-9189CWE-345[email protected]

Essential information

Published
29/05/2026 09:16
Modified
29/05/2026 13:09
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / contact form 7 paypal stripe add on cpe:2.3:a:wordpress:contact_form_7_paypal_stripe_add_on:*:*:*:*:*:wordpress:*:*

References