CVE-2026-9189: Contact Form 7 PayPal Add-on Payment Bypass Vulnerability
The Contact Form 7 – PayPal & Stripe Add-on WordPress plugin contains a payment validation flaw that allows attackers to mark high-value orders as completed without paying the correct amount. An attacker can make a small legitimate PayPal payment, then submit a forged payment notification (IPN) that references a different, expensive order. Because the plugin fails to verify that the payment amount and recipient email match the target order, the attacker's notification is accepted and the high-value order is incorrectly marked as paid. This affects all versions up to and including 2.4.9.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-345
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9189 exploits insufficient verification in the Contact Form 7 – PayPal & Stripe Add-on's IPN handler. While the plugin correctly validates IPN authenticity by posting back to PayPal's confirmation endpoint, it omits critical post-validation checks: it never compares the IPN payload's mc_gross (amount), mc_currency, or receiver_email fields against stored order values. Instead, the attacker-controlled invoice field is passed directly to cf7pp_complete_payment() after only a type cast, bypassing amount verification. An attacker creates a small legitimate PayPal transaction, intercepts or crafts an IPN message, modifies the invoice parameter to target a pending high-value order, and submits it. The plugin accepts the IPN as authentic and marks the expensive order complete. The vulnerability maps to CWE-345 (Insufficient Verification of Data Authenticity) and carries a CVSS 3.1 score of 5.3 (Medium).
Business impact
Organizations using this plugin to accept PayPal payments for WooCommerce forms face revenue loss from payment bypass fraud. Attackers can fulfill orders without tendering correct payment amounts, directly reducing transaction integrity. The attack requires no user interaction and no authentication, making it accessible to any attacker aware of pending order IDs. Affected sites may experience customer disputes, chargeback claims, and inventory depletion. Sites processing high-transaction-value orders via the plugin face the greatest financial exposure.
Affected systems
The Contact Form 7 – PayPal & Stripe Add-on for WordPress is affected in all versions up to and including 2.4.9. The plugin integrates contact forms with PayPal payment processing, typically in WooCommerce or custom WordPress checkout flows. Any WordPress installation using this plugin to process PayPal transactions is vulnerable if not updated.
Exploitability
Exploitability is high. The attack requires no authentication, no user interaction, and no special access. An attacker needs only the ability to craft an HTTP POST request to the plugin's IPN endpoint and knowledge of (or ability to enumerate) pending order IDs. A minimal real PayPal payment serves as cover to establish IPN credibility. The vulnerability is trivial to exploit with basic scripting; no complex tooling is required. The network attack vector and low complexity make this a practical threat for any site publicly running the vulnerable plugin.
Remediation
Update the Contact Form 7 – PayPal & Stripe Add-on to the latest patched version immediately. Verify the patch version against the official WordPress plugin repository or vendor advisory to confirm the fix includes validation of mc_gross, mc_currency, and receiver_email fields against stored order data. If a patch is not yet available, disable PayPal payment processing in the plugin, suspend order fulfillment via the affected payment method, or temporarily migrate to an alternative payment processor pending a security update.
Patch guidance
Check the official Contact Form 7 – PayPal & Stripe Add-on page in the WordPress plugin directory for available updates. Apply the latest version as soon as it is released. Before deployment, test the patched version in a staging environment to confirm PayPal IPN notifications are still processed correctly and orders are marked complete only when payment details match stored values. Review your site's order logs during the vulnerability window for any suspicious completed orders with mismatched payment amounts.
Detection guidance
Monitor PayPal IPN logs and webhook records for invoice parameters that do not correspond to the order initiated by the contact form or for payments with mc_gross values significantly lower than corresponding order totals. Audit completed orders marked paid during the exposure period; flag any where the PayPal transaction amount does not reconcile with the order subtotal. Implement logging of all IPN validation steps to identify rejected or inconsistent notifications. Check for evidence of multiple IPN submissions for the same order ID or invoice parameter with different amounts. Review web server access logs for repeated POST requests to the IPN handler endpoint from unknown sources.
Why prioritize this
This vulnerability should be prioritized for urgent patching because it directly undermines payment integrity with zero-interaction exploitability. Unlike many medium-severity flaws, CVE-2026-9189 enables direct, undetectable revenue theft for any organization accepting payments through the vulnerable plugin. The attack surface is the public-facing IPN endpoint, and the impact is immediate financial loss. The simplicity of exploitation and absence of indicators that alert users to fraud make this a material risk despite the CVSS 5.3 rating.
Risk score, explained
CVSS 3.1 assigns this vulnerability a score of 5.3 (Medium) based on network attack vector, low complexity, no privilege requirements, and no user interaction, but limited scope and no direct confidentiality impact. However, the integrity impact (I:L) underrepresents the actual business harm: the flaw enables direct financial fraud. Organizations handling high-transaction volumes or high-value orders should treat this as functionally critical, despite the medium CVSS label. The financial and reputational consequences may warrant a higher internal severity classification.
Frequently asked questions
Can an attacker complete an order for any amount?
Yes. An attacker can craft an IPN referencing any pending order ID in the system. Because the plugin does not verify that the payment amount matches the order value, a single small PayPal transaction can be used to complete multiple high-value orders by varying the invoice parameter in separate IPN submissions.
How do we know if we have been exploited?
Review your PayPal transaction history and compare transaction amounts against corresponding order totals in WordPress/WooCommerce. Any completed order where the PayPal payment is significantly lower than the order value, or where the PayPal payment method is recorded but no corresponding PayPal transaction exists, is a red flag. Enable detailed IPN logging on your site to spot inconsistencies.
Is a patch available yet?
As of the publication of this advisory, verify the official Contact Form 7 – PayPal & Stripe Add-on repository for the latest version and patch notes. Security updates are typically released within days of public disclosure. Subscribe to the plugin's security announcements or enable automatic updates in WordPress to be notified when a patch is released.
What if we do not use PayPal—only Stripe?
This vulnerability is specific to the PayPal IPN handler in the plugin. If your site processes payments exclusively through Stripe and PayPal payment processing is disabled or unused, you are not directly affected by this flaw. However, verify that PayPal integration is truly inactive in the plugin configuration to confirm no attack surface remains.
This analysis is provided for informational purposes to help organizations assess and remediate security risks. SEC.co does not verify the exploitability of this vulnerability in real-world environments and makes no warranty regarding the accuracy or completeness of remediation guidance. Organizations should consult official vendor advisories and conduct their own testing before applying patches. Liability for damages arising from the use or misuse of this information is excluded to the fullest extent permitted by law. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-46538MEDIUMMicrosoft UFO Cross-Device Task Result Injection (CVSS 5.9)
- CVE-2026-47696MEDIUMWWBN AVideo AuthorizeNet Payment Bypass—Wallet Fraud Vulnerability
- CVE-2022-4992HIGHDräger Infinity M540 Patient Monitor Network Message Vulnerability
- CVE-2026-41577HIGHAuthentik SAML Assertion Validation Bypass (CWE-345)
- CVE-2026-47123HIGHFreeScout Email Spoofing Vulnerability – High-Severity Patch Available
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)