CVE-2026-9189

Product & component : WordPress, Contact Form 7 – PayPal & Stripe Add-on. Vulnerability : Payment Bypass via IPN handling flaw in cf7pp_paypal_ipn_handler where the IPN payload’s mc_gross, mc_currency, or receiver_email aren’t compared against stored order values before passing the attacker-contr...

WordPress plugin Slek Gateway for WooCommerce 信息泄露漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CVE-2026-39366

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Summary The PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate...

CVE-2026-39366

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...

WWBN AVideo 数据伪造问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a data manipulation vulnerability. This vulnerability stemmed from a lack of transaction deduplication in the PayPal IPN v1 handler, which could allow attackers to...

CVE-2026-2428

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN Instant Payment Notification verification being disabled by default disableipnverification defaults to...

CVE-2026-2428 Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN Instant Payment Notification verification being disabled by default disableipnverification defaults to...

PT-2026-22290

Name of the Vulnerable Software and Affected Versions Fluent Forms Pro Add On Pack for WordPress versions through 6.1.17 Description The software contains a flaw related to insufficient verification of data authenticity. Specifically, PayPal IPN Instant Payment Notification verification is disabl...

PT-2026-8048

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.0. This is due to the plugin relying on WooCommerce's WC Geolocation::get ip address function to validate IPN requests, which trusts user-controllable...

WordPress plugin BlueSnap Payment Gateway for WooCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

EUVD-2025-198532

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the dexbccfcheckIPNverification function. This makes it possible for unauthenticated...

EUVD-2025-198535

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create...

CVE-2025-12752 Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create...

CVE-2025-12752 Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create...

PT-2025-47825

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create...

WordPress plugin 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site...

PT-2024-16842 · WordPress · 워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Name of the Vulnerable Software and Affected Versions: 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 versions up to, and including, 5.1.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's pafw instant payment shortcode due to insufficient input sanitization and output escaping on...

Сrimeware and financial cyberthreats in 2025

Kaspersky's Global Research and Analysis Team constantly monitors known and emerging cyberthreats directed at the financial industry, with banks and fintech companies being the most targeted. We also closely follow threats that aim to infiltrate a wider range of industries, namely ransomware...

paypal-ipn spoofing vulnerability

paypal-ipn is a node.js package for validating PayPal IPN messages. A security vulnerability exists in paypal-ipn versions prior to 3.0.0. An attacker can exploit this vulnerability by using an emulator build request to spoof arbitrary applications that do not detect the 'testipn' parameter...