CVE-2025-13384
BaseFortify
Publication date: 2025-11-22
Last updated on: 2025-11-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | cp_contact_form_with_paypal | 1.3.56 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CP Contact Form with PayPal plugin for WordPress has a vulnerability called Missing Authorization. This means that an unauthenticated attacker can access a special endpoint in the plugin that processes payment confirmations without any security checks like authentication, nonce verification, or PayPal IPN signature validation. As a result, attackers can send fake payment notifications to the plugin, causing it to mark form submissions as paid even though no real payment was made.
How can this vulnerability impact me? :
This vulnerability can allow attackers to fraudulently mark payments as completed without actually paying. This could lead to financial loss, as services or goods might be delivered without receiving payment. It also undermines the integrity of the payment system and could damage trust in the affected website.