CVE-2026-9189— Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)
Possible ATT&CK Techniques 2AI
T1556 · Modify Authentication Process T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9189
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对数据真实性的验证不充分
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| scottpaterson | Contact Form 7 – PayPal & Stripe Add-on | 0 ~ 2.4.9 | - |
II. Public POCs for CVE-2026-9189
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9189
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-9189 (4)
Vendor Advisories for CVE-2026-9189 (1)
Other References for CVE-2026-9189 (1)
IV. Related Vulnerabilities
Same product: Contact Form 7 – PayPal & Stripe Add-on
- CVE-2025-47518
WordPress Contact Form 7 – PayPal & Stripe Add-on plugin <= - CVE-2024-10683
Contact Form 7 - PayPal & Stripe Add-on <= 2.3.1 - Reflected - CVE-2024-48021
WordPress Contact Form 7 – PayPal & Stripe Add-on plugin <= - CVE-2024-29130
WordPress Contact Form 7 – PayPal & Stripe Add-on plugin <= - CVE-2023-24405
WordPress Contact Form 7 – PayPal & Stripe Add-on Plugin <=
Same vendor: scottpaterson
- CVE-2025-12752
Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenti - CVE-2025-10701
Time Clock – A WordPress Employee & Volunteer Time Clock Plu - CVE-2024-13560
Subscriptions & Memberships for PayPal <= 1.1.6 - Cross-Site - CVE-2024-13728
Accept Donations with PayPal & Stripe <= 1.4.4 - Reflected C - CVE-2024-12423
Contact Form 7 Redirect & Thank You Page <= 1.0.7 - Reflecte
Same weakness: CWE-345
- CVE-2026-47696
WWBN AVideo: Authenticated wallet credit bypass in Authorize - CVE-2026-3012
Samba: group policy certificate enrollment uses http:// with - CVE-2026-41164
nuts-node: JWT type confusion in v1 access token introspecti - CVE-2026-25602
Mesalvo Meona Client Launcher Component和Mesalvo Meona Server - CVE-2026-44308
Spring Cloud AWS: Missing SNS message signature verification
V. Comments for CVE-2026-9189
No comments yet