Stored Cross-Site Scripting Vulnerability in PayPal Plugin for WordPress
CVE-2024-13401

6.4MEDIUM

Key Information:

Vendor
WordPress
Status
Payment Button For Paypal
Vendor
CVE Published:
17 January 2025

Summary

The Payment Button for PayPal plugin for WordPress contains a vulnerability that allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. This vulnerability arises from inadequate input sanitization and output escaping for the 'wp_paypal_checkout' shortcode. As a result, any user accessing an affected page may have their session compromised, making it crucial for website owners to update to the latest version of the plugin to mitigate potential threats.

Affected Version(s)

Payment Button for PayPal * <= 1.2.3.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wp-paypal/trun...
https://plugins.trac.wordpress.org/browser/wp-paypal/trun...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

muhammad yudha
.