Vulnerability Description
The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email).
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.
- https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.
- https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6639c3d8-8f26-4ee5-8c4
FAQ
What is CVE-2025-13384?
CVE-2025-13384 is a vulnerability with a CVSS score of 7.5 (HIGH). The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like...
How severe is CVE-2025-13384?
CVE-2025-13384 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-13384?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.