The CP Contact Form with PayPal plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2025-13384. This vulnerability exists in all versions up to and including 1.3.56. The root cause is the exposure of an unauthenticated IPN-like endpoint accessible via the 'cp_contactformpp_ipncheck' query parameter. This endpoint processes payment confirmation requests without any form of authentication, nonce verification, or validation of PayPal IPN signatures. As a result, attackers can craft and send arbitrary POST requests containing parameters such as payment_status, txn_id, and payer_email to falsely mark form submissions as paid. The vulnerability allows attackers to bypass payment verification mechanisms, compromising the integrity of transaction data. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, no required privileges or user interaction, and a high impact on integrity. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to websites relying on this plugin for payment processing. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation.

This vulnerability can severely impact organizations using the CP Contact Form with PayPal plugin by allowing attackers to fraudulently mark payments as completed without actual transactions. This undermines the integrity of payment processing, potentially leading to financial losses, fraudulent access to goods or services, and reputational damage. E-commerce sites and donation platforms relying on this plugin are particularly at risk. The ability to exploit this remotely without authentication or user interaction increases the attack surface and ease of exploitation. While availability and confidentiality are not directly affected, the integrity breach can disrupt business operations and trust in payment systems. Organizations may also face compliance issues if fraudulent transactions are not detected promptly.

Organizations should immediately audit their use of the CP Contact Form with PayPal plugin and restrict or disable the vulnerable IPN-like endpoint if possible. Until an official patch is released, implement web application firewall (WAF) rules to block or challenge requests containing the 'cp_contactformpp_ipncheck' parameter from untrusted sources. Employ network-level restrictions to limit access to the endpoint only to legitimate PayPal IP addresses. Monitor logs for suspicious POST requests attempting to manipulate payment statuses. Consider temporarily disabling the PayPal integration in the plugin or replacing it with a more secure payment processing solution. Once a patch is available, apply it promptly. Additionally, validate payment confirmations server-side by cross-referencing with PayPal’s official APIs rather than relying solely on plugin endpoints. Educate site administrators about the risk and ensure backups are maintained to recover from potential fraudulent transactions.