A High-severity Blind SQL Injection vulnerability in the codepeople CP Contact Form with Paypal plugin allows attackers to potentially access and exfiltrate sensitive database records.

This vulnerability is a Blind SQL Injection located in the cp-contact-form-with-paypal component. It arises from the failure to properly sanitize user inputs used in database operations, enabling attackers to execute unauthorized queries and extract data.

The impact of this vulnerability includes the potential exposure of contact form submissions, transaction details, and user account information. With a CVSS score of 8.5, the risk to the organization's data confidentiality is high, potentially leading to identity theft or the compromise of financial transaction records.

Immediate Action: Apply the vendor-provided security patches for CP Contact Form with Paypal immediately to eliminate the injection vulnerability.

Proactive Monitoring: Review application and database logs for any signs of automated scanning or unusual SQL syntax originating from public-facing forms.

Compensating Controls: Restrict database user permissions to the minimum necessary and utilize a Web Application Firewall (WAF) to detect and block SQL injection patterns.

Public Exploit Available: false

This vulnerability poses a significant threat to any site utilizing the CP Contact Form with Paypal plugin. It is imperative that administrators prioritize the application of the official patch to mitigate the risk of unauthorized database interactions and ensure the security of user-submitted data.