Skip to main content

Cp Contact Form With Paypal CVE-2026-32433

| EUVDEUVD-2026-11969 HIGH
SQL Injection (CWE-89)
2026-03-13 Patchstack
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11969
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This issue affects CP Contact Form with Paypal: from n/a through <= 1.3.61.

AnalysisAI

CP Contact Form with Paypal through version 1.3.61 contains a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries with network access. An attacker with user-level privileges can exploit this flaw to extract sensitive database information, though no patch is currently available.

Technical ContextAI

The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89), a classic SQL injection flaw where user input is not properly sanitized before being incorporated into database queries. The CP Contact Form with Paypal plugin (codepeople cp-contact-form-with-paypal) is a WordPress form builder that integrates PayPal payment functionality. The blind SQL injection variant means attackers cannot see query results directly but can infer information through application behavior differences based on true/false conditions in injected SQL statements. No specific CPE identifier is provided in the available data.

RemediationAI

Update the CP Contact Form with Paypal plugin to a version newer than 1.3.61 if available, though no specific patched version is mentioned in the provided data. As immediate mitigation, restrict access to WordPress admin areas through IP whitelisting or additional authentication layers since the vulnerability requires low-privileged authentication. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts, and consider database activity monitoring to detect potential exploitation attempts. Regular security audits of form input handling code should be conducted.

Share

CVE-2026-32433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy