Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This issue affects CP Contact Form with Paypal: from n/a through <= 1.3.61.
AnalysisAI
CP Contact Form with Paypal through version 1.3.61 contains a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries with network access. An attacker with user-level privileges can exploit this flaw to extract sensitive database information, though no patch is currently available.
Technical ContextAI
The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89), a classic SQL injection flaw where user input is not properly sanitized before being incorporated into database queries. The CP Contact Form with Paypal plugin (codepeople cp-contact-form-with-paypal) is a WordPress form builder that integrates PayPal payment functionality. The blind SQL injection variant means attackers cannot see query results directly but can infer information through application behavior differences based on true/false conditions in injected SQL statements. No specific CPE identifier is provided in the available data.
RemediationAI
Update the CP Contact Form with Paypal plugin to a version newer than 1.3.61 if available, though no specific patched version is mentioned in the provided data. As immediate mitigation, restrict access to WordPress admin areas through IP whitelisting or additional authentication layers since the vulnerability requires low-privileged authentication. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts, and consider database activity monitoring to detect potential exploitation attempts. Regular security audits of form input handling code should be conducted.
More in Cp Contact Form With Paypal
View allThe "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/a
The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with result
The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has SQL injection vi
The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition. Rated medium severity (CVSS
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11969