[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOXIzKc6b_T-c0__C9YYiEn2r4OstqxDsOETLhu_15-I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32433","cp-contact-form-with-paypal-authenticated-contributor-sql-injection","CP Contact Form with Paypal \u003C= 1.3.61 - Authenticated (Contributor+) SQL Injection","The CP Contact Form with Paypal plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.3.61 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cp-contact-form-with-paypal",null,"\u003C=1.3.61","1.3.62","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-02 00:00:00","2026-04-15 21:19:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3fb59a19-3d04-4605-a98a-bcff51359708?source=api-prod",45,[22,23,24],"README.txt","cp_contactformpp.php","cp_contactformpp_functions.php","researched",false,3,"This exploitation research plan targets an authenticated SQL injection vulnerability in the **CP Contact Form with PayPal** plugin (versions \u003C= 1.3.61). The vulnerability arises from the plugin's data management logic, which processes user-supplied parameters in raw SQL queries without using `$wpdb->prepare()`.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated SQL Injection\n*   **Affected Parameter:** `ids` (or `uids`) used in CSV export or message management.\n*   **Vulnerable Sink:** `cp_contactformpp_data_management_loaded()` in `cp_contactformpp_functions.php`.\n*   **Reason:** The plugin uses string concatenation to build a `SELECT` query with an `IN` clause using the user-supplied `ids` parameter. It fails to sanitize the input or use prepared statements, allowing an attacker to break out of the query.\n*   **Privilege Level:** Contributor or higher. While the settings page is limited to `manage_options`, the data processing logic in `wp_loaded` often checks for the `edit_posts` capability, which Contributors possess.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Findex.php` or `\u002F` (triggered via the `wp_loaded` hook).\n*   **Action:** `cp_contact_form_paypal_export_csv`.\n*   **HTTP Parameter:** `ids` (sent via GET or POST).\n*   **Authentication:** Required (Contributor-level session).\n*   **Preconditions:** At least one entry must exist in the `cp_contact_form_paypal_posts` table for the query to return results or for the time-based injection to be clearly observable.\n\n### 3. Code Flow\n1.  **Entry Point:** The plugin registers `cp_contactformpp_data_management_loaded` on the `wp_loaded` hook in `cp_contactformpp.php`.\n    ```php\n    add_action('wp_loaded', 'cp_contactformpp_data_management_loaded' );\n    ```\n2.  **Logic Dispatch:** Inside `cp_contactformpp_functions.php`, the function `cp_contactformpp_data_management_loaded()` checks for the `action` parameter.\n    ```php\n    function cp_contactformpp_data_management_loaded() {\n        if (isset($_GET['action']) && $_GET['action'] == 'cp_contact_form_paypal_export_csv') {\n            \u002F\u002F Capability check (often edit_posts or missing)\n            if (current_user_can('edit_posts')) {\n                cp_contact_form_paypal_export_csv();\n            }\n        }\n    }\n    ```\n3.  **The Sink:** The export function retrieves the `ids` parameter and concatenates it into a SQL query.\n    ```php\n    function cp_contact_form_paypal_export_csv() {\n        global $wpdb;\n        $ids = $_GET['ids']; \u002F\u002F SINK: Directly from $_GET\n        $table = $wpdb->prefix . \"cp_contact_form_paypal_posts\";\n        \u002F\u002F Vulnerable Query\n        $results = $wpdb->get_results(\"SELECT * FROM $table WHERE id IN ($ids)\");\n        \u002F\u002F ... processes $results into CSV ...\n    }\n    ```\n\n### 4. Nonce Acquisition Strategy\nIn many versions of this plugin, the `wp_loaded` actions for CSV export","The CP Contact Form with PayPal plugin is vulnerable to authenticated SQL Injection because it concatenates user-controlled variables like 'id' directly into SQL queries without using $wpdb->prepare() or integer casting. Attackers with Contributor-level access or higher can exploit this to extract sensitive database information via time-based or boolean-based blind injection techniques.","\u002F\u002F cp_contactformpp_functions.php line 310\nif ($id != '')\n    $myrows = $wpdb->get_results( \"SELECT * FROM \".$wpdb->prefix.CP_CONTACTFORMPP_FORMS_TABLE.\" WHERE id=\".$id );\n\n---\n\n\u002F\u002F cp_contactformpp_functions.php line 1509\nelse\n{\n   $myrows = $wpdb->get_results( \"SELECT * FROM \".$wpdb->prefix.CP_CONTACTFORMPP_FORMS_TABLE.\" WHERE id=\".$id );\n   if (count($myrows)) \n   {\n       $value = $myrows[0]->$field;\n       $cp_contactformpp_option_buffered_item = $myrows[0];\n       $cp_contactformpp_option_buffered_id = $id;\n   }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcp-contact-form-with-paypal\u002F1.3.61\u002Fcp_contactformpp_functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcp-contact-form-with-paypal\u002F1.3.62\u002Fcp_contactformpp_functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcp-contact-form-with-paypal\u002F1.3.61\u002Fcp_contactformpp_functions.php\t2026-02-05 11:47:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcp-contact-form-with-paypal\u002F1.3.62\u002Fcp_contactformpp_functions.php\t2026-02-16 18:30:40.000000000 +0000\n@@ -310,8 +310,8 @@\n     $CP_CPP_global_form_count = \"_\".$CP_CFPP_global_form_count_number;  \n     if (!defined('CP_AUTH_INCLUDE')) define('CP_AUTH_INCLUDE', true);\n \n-    if ($id != '')\n-        $myrows = $wpdb->get_results( \"SELECT * FROM \".$wpdb->prefix.CP_CONTACTFORMPP_FORMS_TABLE.\" WHERE id=\".$id );\n+    if ($id != '')        \n+        $myrows = $wpdb->get_results( $wpdb->prepare( \"SELECT * FROM \".$wpdb->prefix.CP_CONTACTFORMPP_FORMS_TABLE.\" WHERE id=%d\", $id) );\n     else\n         $myrows = $wpdb->get_results( \"SELECT * FROM \".$wpdb->prefix.CP_CONTACTFORMPP_FORMS_TABLE );\n     if ($id == '') $id = $myrows[0]->id;\n@@ -1503,12 +1508,13 @@\n     }    \n     if ($id == '') \n         $id = CP_CONTACTFORMPP_ID;\n+    $id = intval($id);\n     global $wpdb, $cp_contactformpp_option_buffered_item, $cp_contactformpp_option_buffered_id;\n     if ($cp_contactformpp_option_buffered_id == $id)\n         $value = (property_exists($cp_contactformpp_option_buffered_item, $field) && isset($cp_contactformpp_option_buffered_item->$field) ? @$cp_contactformpp_option_buffered_item->$field : '');\n     else\n     {\n-       $myrows = $wpdb->get_results( \"SELECT * FROM \".$wpdb->prefix.CP_CONTACTFORMPP_FORMS_TABLE.\" WHERE id=\".$id );\n+       $myrows = $wpdb->get_results( $wpdb->prepare( \"SELECT * FROM \".$wpdb->prefix.CP_CONTACTFORMPP_FORMS_TABLE.\" WHERE id=%d\", $id) );\n        if (count($myrows)) \n        {","The exploit targets endpoints that process the 'id' or 'ids' parameters, such as form settings retrieval or CSV data export. An authenticated user (Contributor or higher) sends a request (GET or POST) containing a malicious SQL payload in place of the expected integer ID. For example, setting 'id=1 OR SLEEP(5)' in a request that triggers form data retrieval allows an attacker to confirm the vulnerability via a time-based delay. Since the plugin fails to sanitize these inputs before appending them to the WHERE clause, standard SQL injection payloads can be used to exfiltrate data from the 'wp_users' table or other sensitive tables.","gemini-3-flash-preview","2026-04-18 22:00:34","2026-04-18 22:01:27",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.3.61","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcp-contact-form-with-paypal\u002Ftags\u002F1.3.61","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcp-contact-form-with-paypal.1.3.61.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcp-contact-form-with-paypal\u002Ftags\u002F1.3.62","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcp-contact-form-with-paypal.1.3.62.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcp-contact-form-with-paypal\u002Ftags"]