Description
The ThemeMakers PayPal Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the 'paypal' shortcode in ThemeMakers PayPal Express Checkout
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the ThemeMakers PayPal Express Checkout WordPress plugin, where the 'paypal' shortcode accepts user‑supplied attributes without adequate sanitization or escaping. This flaw allows an authenticated contributor or higher to embed malicious JavaScript code that is stored and served to any visitor of pages using the shortcode. The result is a stored cross‑site scripting condition capable of stealing session cookies, defacing site content, or redirecting users to malicious sites.

Affected Systems

Affected systems are all installations of the ThemeMakers PayPal Express Checkout plugin for WordPress running version 1.1.9 or earlier. The plugin is commonly used in themes such as Car Dealer Automotive, and any user with contributor‑level access or higher can exploit the flaw by inserting a malicious shortcode into a page or post.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access, so attackers must first compromise user credentials or gain contributor privileges. Once authenticated, the attacker can craft a malicious shortcode that, when embedded in a post or page, will execute on visitors’ browsers.

Generated by OpenCVE AI on April 22, 2026 at 02:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ThemeMakers PayPal Express Checkout to the latest version that implements proper input sanitization for the 'paypal' shortcode.
  • If an upgrade is not possible, revoke or downgrade contributor‑level permissions so that users cannot edit pages containing the shortcode.
  • Configure the plugin or alter the shortcode template to escape all user‑supplied attributes before rendering, preventing stored script injection.

Generated by OpenCVE AI on April 22, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5119 The ThemeMakers PayPal Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 11 Mar 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Thememakers
Thememakers paypal Checkout
CPEs cpe:2.3:a:thememakers:paypal_checkout:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememakers
Thememakers paypal Checkout

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Feb 2025 07:00:00 +0000

Type Values Removed Values Added
Description The ThemeMakers PayPal Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ThemeMakers PayPal Express Checkout <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Thememakers Paypal Checkout
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:23.084Z

Reserved: 2025-02-25T11:27:08.216Z

Link: CVE-2025-1689

cve-icon Vulnrichment

Updated: 2025-02-27T14:50:31.679Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-27T07:15:35.400

Modified: 2025-03-11T16:19:41.870

Link: CVE-2025-1689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')