PT-2025-47828 · WordPress · Cp Contact Form With Paypal
Published
2025-11-22
·
Updated
2025-11-27
·
CVE-2025-13384
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
CP Contact Form with PayPal plugin for WordPress versions through 1.3.56
Description
The CP Contact Form with PayPal plugin for WordPress is susceptible to unauthorized payment confirmation. The plugin exposes an unauthenticated endpoint via the
cp contactformpp ipncheck query parameter that processes payment confirmations without authentication, nonce verification, or PayPal IPN signature validation. This allows attackers to falsely mark form submissions as paid by sending forged payment notification requests with arbitrary POST data, including payment status, txn id, and payer email.Recommendations
Update the CP Contact Form with PayPal plugin to a version later than 1.3.56.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cp Contact Form With Paypal