Description
Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Accept Donations with PayPal & Stripe easy-paypal-donation allows Stored XSS.This issue affects Accept Donations with PayPal & Stripe: from n/a through <= 1.4.5.
Published: 2025-05-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the Scott Paterson Accept Donations with PayPal & Stripe plugin allows an attacker to submit a request that will store arbitrary JavaScript into the site’s content database. Once the payload is stored, it will execute in the browsers of visitors or administrators who view the affected page, potentially exposing credentials, hijacking sessions, or defacing the site. The vulnerability is categorized as CWE‑352, reflecting the missing anti‑CSRF controls that enable the malicious request. The impact is that attackers can inject and persist malicious scripts that run with the privileges of any visitor to the rendered page.

Affected Systems

The flaw affects the WordPress plugin "Accept Donations with PayPal & Stripe" by Scott Paterson, versions up to and including 1.4.5. All installations running any version ≤1.4.5 are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. However, the EPSS score of <1% suggests that exploitation is unlikely to be widespread under current conditions, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the stored XSS by embedding a crafted link or form that exploits CSRF, so the attack vector is remote and requires the victim to be logged in to an affected account when clicking the malicious request.

Generated by OpenCVE AI on April 30, 2026 at 13:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Accept Donations with PayPal & Stripe plugin to the latest available version (≥1.4.6) where the CSRF check has been restored.
  • Identify and delete any stored content that may contain malicious JavaScript that was injected while the version was vulnerable.
  • Add or verify CSRF protection on admin‑side form submissions, for example by ensuring that a valid nonce token is required before storing user‑supplied data.

Generated by OpenCVE AI on April 30, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13810 Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Accept Donations with PayPal allows Stored XSS. This issue affects Accept Donations with PayPal: from n/a through 1.4.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Accept Donations with PayPal allows Stored XSS. This issue affects Accept Donations with PayPal: from n/a through 1.4.5. Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Accept Donations with PayPal & Stripe easy-paypal-donation allows Stored XSS.This issue affects Accept Donations with PayPal & Stripe: from n/a through <= 1.4.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00016}

 epss

{'score': 0.00019}

Mon, 09 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpplugin
Wpplugin accept Donations With Paypal
CPEs cpe:2.3:a:wpplugin:accept_donations_with_paypal:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpplugin
Wpplugin accept Donations With Paypal

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Accept Donations with PayPal allows Stored XSS. This issue affects Accept Donations with PayPal: from n/a through 1.4.5.
Title WordPress Accept Donations with PayPal plugin <= 1.4.5 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpplugin Accept Donations With Paypal
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:43.846Z

Reserved: 2025-05-07T09:39:40.222Z

Link: CVE-2025-47517

cve-icon Vulnrichment

Updated: 2025-05-07T17:21:04.180Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:08.490

Modified: 2026-04-23T15:30:23.033

Link: CVE-2025-47517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:45:23Z

Weaknesses