Description
Cross-Site Request Forgery (CSRF) vulnerability in fullworks Quick Paypal Payments quick-paypal-payments allows Cross Site Request Forgery.This issue affects Quick Paypal Payments: from n/a through <= 5.7.46.
Published: 2025-09-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quick Paypal Payments plugin contains a missing CSRF check for state‑changing requests. This allows an attacker who tricks a logged‑in user into visiting a crafted URL to perform privileged PayPal payment actions on the user’s behalf. The issue aligns with CWE‑352 and can compromise the integrity of the site’s payment operations.

Affected Systems

WordPress sites that use fullworks Quick Paypal Payments plugin version 5.7.46 or older are vulnerable. Any installation that has the plugin active and a user authenticated can be targeted. The problem exists across all browsers and platforms that the plugin supports.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, and an EPSS score of less than 1 % means exploitation is uncommon but still possible. Because the most likely attack vector is a simple HTTP request from an external site, an attacker can exploit the flaw without any special privileges. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known widespread exploitation at the time of this analysis.

Generated by OpenCVE AI on May 1, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Quick Paypal Payments plugin to version 5.7.47 or later, which includes CSRF protection.
  • If an immediate update is not feasible, block state‑changing requests that lack a valid CSRF token by configuring a web application firewall or plugin rule.
  • Disable or remove the Quick Paypal Payments plugin if it is not required for business operations.

Generated by OpenCVE AI on May 1, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27017 Cross-Site Request Forgery (CSRF) vulnerability in fullworks Quick Paypal Payments allows Cross Site Request Forgery. This issue affects Quick Paypal Payments: from n/a through 5.7.46.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in fullworks Quick Paypal Payments allows Cross Site Request Forgery. This issue affects Quick Paypal Payments: from n/a through 5.7.46. Cross-Site Request Forgery (CSRF) vulnerability in fullworks Quick Paypal Payments quick-paypal-payments allows Cross Site Request Forgery.This issue affects Quick Paypal Payments: from n/a through <= 5.7.46.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Sun, 07 Sep 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Fullworksplugins
Fullworksplugins quick Paypal Payments
Wordpress
Wordpress wordpress
Vendors & Products Fullworksplugins
Fullworksplugins quick Paypal Payments
Wordpress
Wordpress wordpress

Fri, 05 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in fullworks Quick Paypal Payments allows Cross Site Request Forgery. This issue affects Quick Paypal Payments: from n/a through 5.7.46.
Title WordPress Quick Paypal Payments Plugin <= 5.7.46 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Fullworksplugins Quick Paypal Payments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.315Z

Reserved: 2025-02-17T11:52:05.266Z

Link: CVE-2025-27003

cve-icon Vulnrichment

Updated: 2025-09-05T18:10:13.496Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T17:15:34.473

Modified: 2026-04-23T15:26:13.647

Link: CVE-2025-27003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses