Cybersecurity Vulnerabilities

URGENT: Critical Security Flaw Discovered in CP Contact Form with PayPal Plugin (CVE-2025-13384)

November 22, 2025 - By 

Overview

A high-severity vulnerability, identified as CVE-2025-13384, has been discovered in the CP Contact Form with PayPal plugin for WordPress. This flaw allows unauthenticated attackers to mark form submissions as paid without actually completing the payment process. This impacts all versions of the plugin up to and including version 1.3.56. If you use this plugin, immediate action is required to protect your website.

Technical Details

The vulnerability stems from a missing authorization check in the plugin’s IPN (Instant Payment Notification)-like endpoint. Specifically, the ‘cp_contactformpp_ipncheck’ query parameter triggers payment confirmation processing. The plugin fails to validate the authenticity of these requests, lacking authentication, nonce verification, or PayPal IPN signature validation. An attacker can exploit this by crafting forged payment notification requests with arbitrary POST data, manipulating fields like ‘payment_status’, ‘txn_id’, and ‘payer_email’ to falsely indicate successful payment.

The vulnerable code segments can be found in the following files (version 1.3.56):

CVSS Analysis

  • CVE ID: CVE-2025-13384
  • Severity: HIGH
  • CVSS Score: 7.5

A CVSS score of 7.5 indicates a high-severity vulnerability. This score is based on the exploitability potential and the potential impact on confidentiality, integrity, and availability. The ease with which this vulnerability can be exploited (unauthenticated access) contributes to the high score.

Possible Impact

Successful exploitation of this vulnerability can lead to:

  • Financial Loss: Attackers can receive goods or services without paying, leading to direct financial losses.
  • Inventory Depletion: If the contact form is used to process orders, attackers can deplete your inventory without legitimate purchases.
  • Reputational Damage: Customers may lose trust in your website if they discover fraudulent transactions.
  • Resource Exhaustion: Malicious actors can potentially flood the endpoint with bogus requests, leading to resource exhaustion on the server.

Mitigation or Patch Steps

The most important step is to update the CP Contact Form with PayPal plugin to the latest version as soon as it becomes available. Check the WordPress plugin repository for updates. If an update is not yet available, consider temporarily disabling the plugin until a patched version is released.

According to the plugin’s changelog a fix has been committed. Verify that the fix addresses the missing authentication and signature validation issues described in this advisory.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *