Vulnerabilities and security researches forcp-contact-form-with-paypal cp-contact-form-with-paypal

Jun 07, 2024

CVE, Research URL: CVE-2023-27460
Home page URL: Security reports for CP Contact Form with PayPal
Application: CP Contact Form with PayPal
Date: Jun 04, 2024
Research Description: Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34.
Affected versions: max 1.3.35.
Status: vulnerable

CVE, Research URL: CVE-2015-9233
Home page URL: Security reports for CP Contact Form with PayPal
Application: CP Contact Form with PayPal
Date: Sep 30, 2017
Research Description: The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php.
Affected versions: max 1.1.6.
Status: vulnerable

CVE, Research URL: CVE-2015-9234
Home page URL: Security reports for CP Contact Form with PayPal
Application: CP Contact Form with PayPal
Date: Sep 30, 2017
Research Description: The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has SQL injection via the cp_contactformpp_id parameter to cp_contactformpp.php.
Affected versions: max 1.1.6.
Status: vulnerable

CVE, Research URL: CVE-2019-14784
Home page URL: Security reports for CP Contact Form with PayPal
Application: CP Contact Form with PayPal
Date: Aug 15, 2019
Research Description: The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.
Affected versions: max 1.3.02.
Status: vulnerable

CVE, Research URL: CVE-2019-14785
Home page URL: Security reports for CP Contact Form with PayPal
Application: CP Contact Form with PayPal
Date: Aug 09, 2019
Research Description: The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.
Affected versions: max 1.3.02.
Status: vulnerable

Feb 01, 2025

CVE, Research URL: CVE-2024-13758
Home page URL: Security reports for CP Contact Form with PayPal
Application: CP Contact Form with PayPal
Date: Jan 30, 2025
Research Description: The CP Contact Form with PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.52. This is due to missing or incorrect nonce validation on the cp_contact_form_paypal_check_init_actions() function. This makes it possible for unauthenticated attackers to add discount codes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.3.53.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-13384
Home page URL: Security reports for CP Contact Form with PayPal
Application: CP Contact Form with PayPal
Date: Nov 22, 2025
Research Description: The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email).
Affected versions: max 1.3.57.
Status: vulnerable