CVE-2026-9189

Product & component : WordPress, Contact Form 7 – PayPal & Stripe Add-on. Vulnerability : Payment Bypass via IPN handling flaw in cf7pp_paypal_ipn_handler where the IPN payload’s mc_gross, mc_currency, or receiver_email aren’t compared against stored order values before passing the attacker-contr...

WordPress plugin Slek Gateway for WooCommerce 信息泄露漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CVE-2026-39366

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Summary The PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate...

CVE-2026-2428

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN Instant Payment Notification verification being disabled by default disableipnverification defaults to...

CVE-2026-2428 Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN Instant Payment Notification verification being disabled by default disableipnverification defaults to...

PT-2026-22290

Name of the Vulnerable Software and Affected Versions Fluent Forms Pro Add On Pack for WordPress versions through 6.1.17 Description The software contains a flaw related to insufficient verification of data authenticity. Specifically, PayPal IPN Instant Payment Notification verification is disabl...

PT-2026-8048

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.0. This is due to the plugin relying on WooCommerce's WC Geolocation::get ip address function to validate IPN requests, which trusts user-controllable...

WordPress plugin BlueSnap Payment Gateway for WooCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

EUVD-2025-198532

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the dexbccfcheckIPNverification function. This makes it possible for unauthenticated...

EUVD-2025-198535

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create...

CVE-2025-12752 Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create...

CVE-2025-12752 Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create...