The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass...

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although cf7pp_paypal_ipn_handler() correctly validates IPN authenticity by posting back to PayPal with cmd=_notify-validate, it fails to compare the IPN payload's mc_gross (payment amount), mc_currency, or receiver_email fields against the corresponding stored order values before passing the attacker-controlled invoice field directly to cf7pp_complete_payment(), which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose invoice parameter references the targeted order, effectively completing purchases without tendering the required payment amount.