Joaquin Ramirez Martinez

**Name of the Vulnerable Software and Affected Versions** CP Contact Form with PayPal version 1.2.97 and earlier **Description** The issue concerns a Cross-Site Scripting (XSS) flaw in the CSS edition of the plugin. **Recommendations** For versions 1.2.97 and earlier, update to version 1.2.98 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CP Contact Form with PayPal plugin versions prior to 1.2.99 **Description** The issue concerns a Cross-Site Scripting (XSS) flaw in the publishing wizard of the plugin. This is accessible via the "wp-admin/admin.php?page=cp contact form paypal.php&pwizard=1" endpoint, specifically through the `cp contactformpp id` parameter. **Recommendations** For versions prior to 1.2.99, update to version 1.2.99 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** cp-contact-form-with-paypal versions prior to 1.1.6 **Description** The issue is related to CSRF with resultant XSS. It is connected to the files cp contactformpp.php and cp contactformpp admin int list.inc.php. **Recommendations** For versions prior to 1.1.6, update to version 1.1.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** cp-contact-form-with-paypal versions prior to 1.1.6 **Description** The issue concerns SQL injection, which can be exploited through the `cp contactformpp id` parameter in the `cp contactformpp.php` file. **Recommendations** For versions prior to 1.1.6, update to version 1.1.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CP Reservation Calendar plugin versions prior to 1.1.7 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `id` parameter in a "dex reservations calendar load2" action or the `dex item` parameter in a "dex reservations check posted data" action in a request to the default URI. **Recommendations** For versions prior to 1.1.7, update to version 1.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the dex reservations.php file to minimize the risk of exploitation. Avoid using the `id` and `dex item` parameters in the affected actions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Contact Form Generator plugin versions 2.0.1 and earlier **Description** The issue allows remote attackers to hijack the authentication of administrators for various requests, including creating, updating, or deleting fields, forms, or templates, as well as conducting cross-site scripting (XSS) attacks. This is achieved through a crafted request to the "cfg forms" page in "wp-admin/admin.php". **Recommendations** For Contact Form Generator plugin versions 2.0.1 and earlier, update to a version later than 2.0.1 to resolve the issue.