Volerion logoVolerion
Volerion logoVolerion

CP Contact Form with PayPal WordPress Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the CP Contact Form with PayPal plugin for WordPress, affecting all versions through 1.3.52. The vulnerability arises from inadequate nonce validation in the 'cp_contact_form_paypal_check_init_actions()' function, allowing unauthenticated attackers to manipulate discount codes by tricking an administrator into clicking a link.

Impact

Exploitation allows for Cross-Site Request Forgery, where an attacker can impersonate a user and perform actions on their behalf, potentially leading to unauthorized changes or data manipulation.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the WordPress site, including the necessary parameters to bypass the nonce validation. This can be done by tricking an administrator into clicking a link that activates the 'cp_contactformpp_ipncheck' parameter, which is not properly validated, allowing the attacker to add discount codes.

Remediation

Users are advised to update the CP Contact Form with PayPal plugin to version 1.3.53 or later.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.6
impact
0.6
exploitability
7.6
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.