7.5
CVE-2025-13384
- EPSS 0.16%
- Veröffentlicht 22.11.2025 07:29:19
- Zuletzt bearbeitet 25.11.2025 22:16:42
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
CP Contact Form with PayPal <= 1.3.56 - Missing Authorization to Unauthenticated Arbitrary Payment Confirmation
The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email).
Mögliche Gegenmaßnahme
CP Contact Form with PayPal: Update to version 1.3.57, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
CP Contact Form with PayPal
Version
*-1.3.56
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellercodepeople
≫
Produkt
CP Contact Form with PayPal
Default Statusunaffected
Version <=
1.3.56
Version
*
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.372 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.