CVE-2026-9189

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although cf7pp paypal ipn handler() correctly validates IPN authenticity by posting back to PayPal with cmd= notify-validate, it fails to compare the IPN payload's mc gross (payment amount), mc currency, or receiver email fields against the corresponding stored order values before passing the attacker-controlled invoice field directly to cf7pp complete payment(), which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose invoice parameter references the targeted order, effectively completing purchases without tendering the required payment amount.