ReportizFlow
Filtered by vendor Codepeople
Subscriptions
Total
72 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13318 | 2 Codepeople, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2025-11-24 | 5.3 Medium |
| The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter. | ||||
| CVE-2025-13384 | 2 Codepeople, Wordpress | 2 Cp Contact Form With Paypal, Wordpress | 2025-11-24 | 7.5 High |
| The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email). | ||||
| CVE-2025-13317 | 2 Codepeople, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2025-11-24 | 5.3 Medium |
| The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations. | ||||
| CVE-2025-64369 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-11-17 | 6.5 Medium |
| Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.58. | ||||
| CVE-2025-64261 | 2 Codepeople, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2025-11-14 | 6.5 Medium |
| Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.95. | ||||
| CVE-2024-12274 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-08-27 | 7.5 High |
| The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist). | ||||
| CVE-2025-48231 | 2 Codepeople, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2025-07-14 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.58. | ||||
| CVE-2025-24723 | 2 Codepeople, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2025-07-13 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.55. | ||||
| CVE-2023-48318 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-07-13 | 5.3 Medium |
| Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Contact Form Email allows Functionality Bypass.This issue affects Contact Form Email: from n/a through 1.3.41. | ||||
| CVE-2023-27460 | 1 Codepeople | 1 Cp Contact Form With Paypal | 2025-07-13 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34. | ||||
| CVE-2023-25037 | 2 Codepeople, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2025-07-13 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34. | ||||
| CVE-2023-28494 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-07-12 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31. | ||||
| CVE-2025-24626 | 2 Codepeople, Wordpress | 2 Music Store, Wordpress | 2025-07-12 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Music Store allows Reflected XSS. This issue affects Music Store: from n/a through 1.1.19. | ||||
| CVE-2025-24672 | 2 Codepeople, Wordpress | 2 Form Builder Cp, Wordpress | 2025-07-12 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodePeople Form Builder CP allows SQL Injection. This issue affects Form Builder CP: from n/a through 1.2.41. | ||||
| CVE-2025-49291 | 1 Codepeople | 1 Calculated Fields Form | 2025-07-02 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in codepeople Calculated Fields Form allows Cross Site Request Forgery. This issue affects Calculated Fields Form: from n/a through 5.3.58. | ||||
| CVE-2025-39562 | 1 Codepeople | 1 Payment Form For Paypal Pro | 2025-06-24 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Payment Form for PayPal Pro allows Stored XSS. This issue affects Payment Form for PayPal Pro: from n/a through 1.1.72. | ||||
| CVE-2025-49332 | 1 Codepeople | 1 Wp Time Slots Booking Form | 2025-06-24 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in codepeople WP Time Slots Booking Form allows Cross Site Request Forgery. This issue affects WP Time Slots Booking Form: from n/a through 1.2.30. | ||||
| CVE-2022-41790 | 1 Codepeople | 1 Wp Time Slots Booking Form | 2025-06-18 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76. | ||||
| CVE-2023-0389 | 1 Codepeople | 1 Calculated Fields Form | 2025-06-11 | 4.8 Medium |
| The Calculated Fields Form WordPress plugin before 1.1.151 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-9940 | 1 Codepeople | 1 Calculated Fields Form | 2025-06-05 | 5.3 Medium |
| The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email. | ||||