Threat Entry Updated 2026-05-29

CVE-2026-9189 - Stripe Add On Plugin

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it…

PLUGIN Stripe Add On

CVE-2026-9189

MEDIUM CVSS 5.3 2026-05-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-11

CVE-2024-10683 - Stripe Add On Plugin

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review notice is present in the dashboard.

PLUGIN Stripe Add On

CVE-2024-10683

MEDIUM CVSS 6.1 2024-11-09

Risk Score

Open Full Technical Breakdown