Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This issue affects CP Contact Form with Paypal: from n/a through <= 1.3.61.
Published: 2026-03-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach via Blind SQL Injection
Action: Patch
AI Analysis

Impact

CWE‑89 (Improper Neutralization of Special Elements used in an SQL Command) underlies a blind SQL injection flaw in the Codepeople CP Contact Form with PayPal plugin. Key detail from CVE description: the vulnerability permits attackers to inject malicious SQL through the contact form, potentially allowing them to read or modify underlying database records. The impact is a data breach that could expose sensitive user data or compromise site functionality.

Affected Systems

Systems using the WordPress plugin Codepeople CP Contact Form with PayPal version 1.3.61 or earlier are affected. This includes any WordPress site that has installed the plugin without upgrading past the vulnerable version.

Risk and Exploitability

The CVSS score of 8.5 classifies this issue as High severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to submit a crafted payload via the plugin’s contact form; the lack of error messages means the attack is blind, but timing or other side channels can still reveal database structure or data.

Generated by OpenCVE AI on March 19, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CP Contact Form with PayPal to a version newer than 1.3.61
  • If an upgrade is not possible, disable or remove the plugin until an official patch is released
  • Monitor database access logs for anomalous queries and consider limiting database privileges for the WordPress database user

Generated by OpenCVE AI on March 19, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople cp Contact Form With Paypal
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople cp Contact Form With Paypal
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This issue affects CP Contact Form with Paypal: from n/a through <= 1.3.61.
Title WordPress CP Contact Form with Paypal plugin <= 1.3.61 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Codepeople Cp Contact Form With Paypal
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:15.990Z

Reserved: 2026-03-12T11:11:30.947Z

Link: CVE-2026-32433

cve-icon Vulnrichment

Updated: 2026-03-13T19:29:41.996Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:02.873

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:31Z

Weaknesses