CVE-2025-13384 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-13384?

CVE-2025-13384 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to forge PayPal payment notifications in the CP Contact Form with PayPal WordPress plugin, marking form submissions as paid without actual payment. All WordPress sites using this plugin up to version 1.3.56 are affected. Attackers can manipulate payment status, transaction IDs, and payer emails through crafted requests.

📋 TL;DR

This vulnerability allows unauthenticated attackers to forge PayPal payment notifications in the CP Contact Form with PayPal WordPress plugin, marking form submissions as paid without actual payment. All WordPress sites using this plugin up to version 1.3.56 are affected. Attackers can manipulate payment status, transaction IDs, and payer emails through crafted requests.

💻 Affected Systems

Products:

CP Contact Form with PayPal WordPress Plugin

Versions: All versions up to and including 1.3.56

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the plugin active are vulnerable. No special configuration required.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could mark all form submissions as paid, causing significant financial loss if the plugin is used for paid services, and potentially enabling unauthorized access to paid content or services.

🟠

Likely Case

Attackers mark individual form submissions as paid without payment, causing revenue loss for paid forms and undermining payment verification systems.

🟢

If Mitigated

With proper authentication and PayPal IPN validation, only legitimate PayPal notifications would be processed, preventing unauthorized payment confirmations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP POST requests to the vulnerable endpoint with payment_status, txn_id, and payer_email parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.57 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399104%40cp-contact-form-with-paypal&new=3399104%40cp-contact-form-with-paypal&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'CP Contact Form with PayPal'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.3.57+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate cp-contact-form-with-paypal

Block Vulnerable Endpoint

linux

Use web application firewall or .htaccess to block access to the IPN endpoint

RewriteEngine On
RewriteCond %{QUERY_STRING} cp_contactformpp_ipncheck [NC]
RewriteRule ^ - [F,L]

🧯 If You Can't Patch

Disable the CP Contact Form with PayPal plugin immediately
Implement server-side validation of PayPal IPN signatures using custom code

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for CP Contact Form with PayPal version. If version is 1.3.56 or lower, you are vulnerable.

Check Version:

wp plugin get cp-contact-form-with-paypal --field=version

Verify Fix Applied:

After updating, verify plugin version shows 1.3.57 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests containing 'cp_contactformpp_ipncheck' parameter
Unusual payment confirmations without corresponding PayPal transactions
Multiple form submissions marked as paid in quick succession

Network Indicators:

POST requests to WordPress site with cp_contactformpp_ipncheck parameter and payment_status/txn_id/payer_email fields
Requests from non-PayPal IP addresses to payment confirmation endpoints

SIEM Query:

SELECT * FROM web_logs WHERE url_query LIKE '%cp_contactformpp_ipncheck%' AND http_method = 'POST'

📊 Metadata

CVE ID: CVE-2025-13384

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

EPSS Score: 0.16% exploit probability (37.1th percentile)

Published: November 22, 2025

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13384, you might also want to check these: