The PayPal Express Checkout plugin for WordPress contains a stored cross‑site scripting flaw, caused by failing to properly neutralize user‑supplied input before rendering web pages. An attacker can inject malicious scripts into data fields that the plugin then returns to visitors without sanitization. The injected script runs automatically in the browsers of anyone who views the affected page, enabling actions such as hijacking user sessions, stealing credentials or cookies, or defacing the site. This vulnerability corresponds to CWE‑79.

WordPress sites that use the hccoder PayPal Express Checkout plugin version 2.1.2 or earlier are affected. Any installation where this plugin is active and remains at or below that version is vulnerable, regardless of other plugin or theme configurations.

The CVSS score of 7.1 indicates a high severity issue while the EPSS score of less than 1% suggests that active exploitation is unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. A likely attack vector involves an attacker submitting malicious input through the plugin’s data entry interfaces, which the plugin stores and later serves back to visitors. Because the flaw resides in stored data, the attack can be performed remotely over the web interface without any additional services or software needed on the vulnerable host.