Description
The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttom_image' parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can be injected by authenticated users with a Contributor role or higher in the Paypal Payment Shortcode WordPress plugin
Action: Patch Plugin
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Paypal Payment Shortcode WordPress plugin, triggered by the 'buttom_image' attribute of the [paypal-shortcode] shortcode. Because the plugin does not sanitize or escape this parameter, an authenticated user with Contributor-level access can embed arbitrary JavaScript that will run for any visitor to a page containing the injected shortcode. This flaw can be used to deface web content, steal cookies, hijack user sessions, or otherwise compromise the integrity of the site from the perspective of other users.

Affected Systems

The vulnerability affects any installation of the Paypal Payment Shortcode plugin for WordPress with version 1.01 or earlier. This includes all WordPress sites that have upgraded using the plugin as of the stated release.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is < 1%, suggesting a low probability of exploitation at this time, and the flaw is not listed in the CISA KEV catalog. Exploitation requires some level of authenticated access—specifically a Contributor or higher role—to edit or add content containing the shortcode. Once the malicious code is stored, it is executed on subsequent page requests for all visitors, implying a potential compromise of confidentiality, integrity, and availability for all site users. The most likely attack path is through page or post editing features where a user can include the vulnerable shortcode.

Generated by OpenCVE AI on April 21, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Paypal Payment Shortcode plugin to the newest available version that removes the vulnerability
  • If a newer version is not immediately available, edit or disable any usage of the 'buttom_image' attribute in existing shortcodes to remove the injection point
  • Apply a content filtering layer or use a sanitization plugin that escapes or strips script tags from shortcode attributes before rendering
  • Restrict Contributor-level access to trusted users or consider reducing the capabilities of the role until a patch is installed

Generated by OpenCVE AI on April 21, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Sonlamtn200
Sonlamtn200 paypal Payment Shortcode
Wordpress
Wordpress wordpress
Vendors & Products Sonlamtn200
Sonlamtn200 paypal Payment Shortcode
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttom_image' parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Paypal Payment Shortcode <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Sonlamtn200 Paypal Payment Shortcode
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:00.459Z

Reserved: 2025-12-03T15:25:21.576Z

Link: CVE-2025-13966

cve-icon Vulnrichment

Updated: 2025-12-12T20:07:01.797Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:44.657

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses