Cross-Site Request Forgery Vulnerability in Avishi WP PayPal Payment Button Plugin for WordPress
CVE-2025-7669

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Avishi WP Paypal Payment Button
Vendor: CVE Published:; 19 July 2025

What is CVE-2025-7669?

The Avishi WP PayPal Payment Button plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability, allowing unauthenticated attackers to issue forged requests due to inadequate nonce validation. This weakness may enable malicious actors to manipulate settings or inject harmful scripts if they can trick site administrators into performing specific actions, such as clicking a link. Users are advised to review and implement security measures to safeguard against potential exploits related to this vulnerability.

Affected Version(s)

Avishi WP PayPal Payment Button * <= 2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/avishi-wp-payp...

https://wordpress.org/plugins/avishi-wp-paypal-payment-bu...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2025
Vulnerability Reserved
Jul 14, 2025

Credit

Johannes Skamletz