Cross-Site Scripting in Payment Form for PayPal Pro Plugin by WordPress

CVE-2015-7666

What is CVE-2015-7666?

The Payment Form for PayPal Pro plugin for WordPress contains multiple cross-site scripting vulnerabilities in its cp_updateMessageItem and cp_deleteMessageItem functions. These vulnerabilities allow remote attackers to inject arbitrary web scripts or HTML through the manipulative cal parameter, posing significant security risks to affected WordPress installations. It is crucial for users to update to the latest version to mitigate these vulnerabilities and enhance site security.

References