Contact Form 7 - PayPal & Stripe Add-on Payment Bypass Vulnerability

A vulnerability exists in the Contact Form 7 - PayPal & Stripe Add-on for WordPress, affecting all versions up to and including 2.4.9. The issue arises from inadequate verification of data authenticity in the PayPal IPN handler. While the handler validates IPN authenticity by posting back to PayPal, it fails to compare critical payment details, such as the payment amount, currency, and receiver email, against stored order values. This oversight allows unauthenticated attackers to manipulate the 'invoice' field and falsely mark high-value orders as paid, effectively bypassing the payment process.

Impact

Exploitation of this vulnerability allows unauthenticated users to manipulate payment statuses, marking high-value orders as paid without completing the actual transaction.

Reproduction

To reproduce this vulnerability, an attacker can make a minimal real payment through PayPal, then send a crafted IPN message that includes an invoice reference to a targeted order. The IPN handler will validate the IPN but will not properly verify the payment details, allowing the attacker to falsely complete the order.

Remediation

Users are advised to update the Contact Form 7 - PayPal & Stripe Add-on to version 2.4.10 or later.