Stranger825

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 – PayPal & Stripe Add-on versions prior to 2.5.0 **Description** The plugin is subject to a payment bypass due to insufficient verification of data authenticity. While the `cf7pp paypal ipn handler()` function validates IPN authenticity by posting back to PayPal using `cmd= notify-validate`, it does not verify if the `mc gross` (payment amount), `mc currency`, or `receiver email` fields in the IPN payload match the stored order values. Instead, the attacker-controlled `invoice` field is passed directly to `cf7pp complete payment()`, which marks the order as completed after a simple integer cast without verifying the payment amount. This allows unauthenticated attackers to mark high-value pending orders as paid by making a minimal payment and crafting an IPN where the `invoice` parameter references the target order. **Recommendations** Update the plugin to a version later than 2.4.9.