Skip to main content
CVE Vulnerability Database

CVE-2026-9189: WordPress CF7 PayPal Plugin Auth Bypass

CVE-2026-9189 is an authentication bypass flaw in the Contact Form 7 PayPal & Stripe Add-on plugin for WordPress that allows attackers to mark orders as paid with minimal payment. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-9189 Overview

CVE-2026-9189 is a payment bypass vulnerability in the Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress, affecting all versions up to and including 2.4.9. The flaw resides in the cf7pp_paypal_ipn_handler() function, which validates PayPal Instant Payment Notification (IPN) authenticity but fails to verify that the payment amount, currency, and receiver email match the stored order. Unauthenticated attackers can mark arbitrary high-value pending orders as fully paid by submitting a minimal real PayPal payment with a crafted invoice parameter referencing the targeted order. The vulnerability is classified under [CWE-345: Insufficient Verification of Data Authenticity].

Critical Impact

Unauthenticated attackers can complete arbitrary high-value purchases by submitting only minimal real PayPal payments, causing direct financial loss to site operators.

Affected Products

  • Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress
  • All versions up to and including 2.4.9
  • WordPress sites processing PayPal payments through this plugin

Discovery Timeline

  • 2026-05-29 - CVE-2026-9189 published to NVD
  • 2026-05-29 - Last updated in NVD database

Technical Details for CVE-2026-9189

Vulnerability Analysis

The vulnerability resides in the PayPal IPN handler logic of the Contact Form 7 PayPal & Stripe Add-on plugin. The cf7pp_paypal_ipn_handler() function correctly performs the first half of IPN validation by posting the received payload back to PayPal with cmd=_notify-validate, confirming that PayPal originated the message. However, the handler stops short of the second mandatory validation step: comparing the returned transaction fields against the merchant's stored order record.

Specifically, the handler never compares the IPN's mc_gross (payment amount), mc_currency, or receiver_email values to the corresponding stored order values. Instead, it extracts the attacker-controlled invoice field, casts it to an integer, and passes it directly to cf7pp_complete_payment(), which marks the referenced order as completed without verifying that the actual amount paid matches the order total.

Root Cause

The root cause is incomplete validation of IPN payload authenticity against business state. While the plugin trusts PayPal's _notify-validate response as proof of message origin, it treats that response as sufficient evidence of payment correctness. Authoritative PayPal documentation requires merchants to also verify amount, currency, and recipient against the stored order before fulfilling. The missing comparison turns a verified IPN into a forgeable payment proof when paired with any attacker-funded real transaction.

Attack Vector

An unauthenticated attacker identifies a pending order ID on a target site, typically by enumerating predictable numeric invoice values. The attacker then initiates a legitimate PayPal payment for a trivial amount (for example, the lowest allowed currency unit) to the merchant's PayPal account. During checkout, the attacker sets the invoice field on the outgoing PayPal transaction to the target order's identifier. PayPal subsequently delivers a genuine, signed IPN to the plugin handler. Because the handler validates only authenticity and not amount, cf7pp_complete_payment() marks the high-value pending order as fully paid even though the attacker tendered only the minimal amount.

The vulnerability mechanism is described in detail in the Wordfence Vulnerability Report and the corresponding WordPress Plugin PayPal Handler source.

Detection Methods for CVE-2026-9189

Indicators of Compromise

  • Orders marked completed in WordPress where the recorded PayPal mc_gross does not match the stored order total.
  • IPN log entries containing invoice values that reference orders associated with a different PayPal account than the configured receiver_email.
  • Repeated low-value PayPal transactions originating from the same buyer email shortly before unrelated high-value orders flip to completed status.
  • Order fulfillment requests for products that have no corresponding settled funds in the merchant PayPal account.

Detection Strategies

  • Reconcile WordPress order status against PayPal transaction history daily and flag any completed order whose payment total is less than the order amount.
  • Inspect plugin and web server logs for POST requests to the IPN listener endpoint where the invoice parameter targets pending orders not associated with the originating PayPal payer.
  • Audit the cf7pp_paypal_ipn_handler() execution path for IPN events that bypass amount comparison logic.

Monitoring Recommendations

  • Enable verbose IPN logging and forward records to a centralized log platform for correlation with order state changes.
  • Alert on any order transition to completed that occurs within seconds of an IPN whose mc_gross is below a configurable threshold.
  • Monitor PayPal merchant reports for unusually low-value transactions paired with high-value WordPress order completions.

How to Mitigate CVE-2026-9189

Immediate Actions Required

  • Update the Contact Form 7 – PayPal & Stripe Add-on plugin to a version later than 2.4.9 as soon as a patched release is available from the vendor.
  • Manually reconcile recent completed orders against settled PayPal transactions and reverse fulfillment for any order where the paid amount does not match the order total.
  • Temporarily disable the plugin's PayPal payment path on production sites until the patch is applied if reconciliation cannot be performed continuously.

Patch Information

The vendor change addressing this issue is tracked in the WordPress Plugin Change Set 3551197. Site operators should upgrade to the fixed release referenced by Wordfence in the Wordfence Vulnerability Report and confirm that the IPN handler now compares mc_gross, mc_currency, and receiver_email against stored order values before completing payment.

Workarounds

  • Switch payment processing to the Stripe path provided by the same plugin until the PayPal handler is patched.
  • Apply a web application firewall rule that blocks IPN callbacks whose mc_gross value falls below the minimum expected order total for the site.
  • Implement a custom WordPress hook that intercepts cf7pp_complete_payment() and rejects completion when the IPN amount does not equal the stored order amount.
bash
# Configuration example: WP-CLI command to deactivate the affected plugin pending patch
wp plugin deactivate contact-form-7-paypal-add-on

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.