CVE-2026-32433

The CP Contact Form with Paypal plugin for WordPress, versions 1.3.61 and earlier fails to properly neutralize special elements used in an SQL command, leading to a blind SQL injection vulnerability. The flaw resides in how user-supplied input is handled before being passed to database queries, allowing an attacker to inject arbitrary SQL statements without proper sanitization or parameterization.

Exploitation does not require authentication, making the attack surface broad. An attacker can send crafted HTTP requests to the vulnerable plugin endpoint, injecting SQL commands that are executed blindly. This type of injection is often used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Successful exploitation enables a malicious actor to interact directly with the underlying database. This includes the ability to extract sensitive information such as user credentials, personal data, and other stored content. The CVSS score of 8.5 reflects the high potential for data compromise [1].

The vendor has released version 1.3.62 which addresses the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].