This vulnerability allows stored cross‑site scripting in the Paytm Payment Donation WordPress plugin. An attacker can inject malicious script into user‑controlled fields that are saved in the database and later rendered by the plugin, potentially leading to defacement, credential theft, or session hijacking. The weakness is identified as CWE‑79, reflecting improper neutralization of input during web page generation.

The Paytm Payment Donation plugin for WordPress, versions 2.3.3 and earlier, is affected. The vulnerability is present in all releases from the product’s inception up to the listed 2.3.3 version. Any WordPress installation using this plugin without an upgrade exposes users to the risk.

The CVSS score of 5.9 indicates a moderate severity. The EPSS score is less than 1%, suggesting a low estimated probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The typical attack scenario involves a malicious user or a compromised account submitting script‑laden content through the plugin’s input fields, which is then stored and displayed to all visitors. Because the exploitation requires interaction with the plugin’s UI, it is not an arbitrary remote code execution; however, successful exploitation can compromise the confidentiality and integrity of site content and user sessions.