CVE-2024-13758 is a medium severity Cross-Site Request Forgery (CSRF) vulnerability affecting the CP Contact Form with PayPal plugin for WordPress, specifically all versions up to and including 1.3.52. The vulnerability stems from missing or incorrect nonce validation in the cp_contact_form_paypal_check_init_actions() function, which is responsible for processing certain actions related to PayPal discount codes. Nonces are security tokens used to verify that requests originate from legitimate users and not from forged sources. Because this validation is absent or improperly implemented, an attacker can craft a malicious link or webpage that, when visited by a site administrator, triggers unauthorized actions such as adding discount codes without the administrator's consent. This attack vector requires no authentication but does require user interaction (clicking a link). The impact affects the integrity of the site by allowing unauthorized modifications to discount codes, potentially leading to financial loss or abuse of promotional offers. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly by site administrators and developers.

The primary impact of this vulnerability is on the integrity of the affected WordPress sites using the CP Contact Form with PayPal plugin. Attackers can add unauthorized discount codes, potentially leading to financial losses through fraudulent discounts or abuse of promotional campaigns. This can undermine customer trust and damage the reputation of affected businesses. Since the attack requires tricking an administrator into clicking a malicious link, social engineering is a key component, increasing the risk in environments where administrators may be targeted via phishing. The vulnerability does not affect confidentiality or availability directly but can indirectly cause operational disruptions if financial discrepancies arise or if the site’s promotional mechanisms are compromised. Organizations relying on this plugin for payment processing or discount management are at risk, especially e-commerce sites and businesses with active promotional campaigns. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once the vulnerability becomes widely known.

To mitigate this vulnerability, organizations should immediately update the CP Contact Form with PayPal plugin to a version that includes proper nonce validation once available. Until an official patch is released, site administrators can implement manual nonce checks in the cp_contact_form_paypal_check_init_actions() function to ensure requests are legitimate. Additionally, administrators should be trained to avoid clicking on suspicious links and to verify the authenticity of requests related to administrative actions. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting this plugin can provide temporary protection. Regularly monitoring logs for unusual discount code additions or administrative actions can help detect exploitation attempts early. Restricting administrative access to trusted networks and using multi-factor authentication can reduce the risk of successful social engineering. Finally, developers should review other plugin functions for similar nonce validation issues to prevent related vulnerabilities.