Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Easy PayPal Buy Now Button wp-ecommerce-paypal allows Stored XSS.This issue affects Easy PayPal Buy Now Button: from n/a through <= 2.0.
Published: 2025-05-07
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to embed malicious script code into a web page served by the Easy PayPal Buy Now Button plugin. The flaw arises from improper neutralization of user input during web page generation, and is classified as CWE‑79. When exploited, the injected script runs in the context of any site visitor that loads the affected page, enabling session hijacking, credential theft, or malicious page redirection. The damage potential is limited to confidentiality and integrity of data accessed through the victim’s browser, and does not directly provide system‑wide code execution.

Affected Systems

The issue affects the Scott Paterson Easy PayPal Buy Now Button WordPress plugin. All releases up to and including version 2.0 are vulnerable; the plugin has no earlier version that implements the fix.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity that can affect multiple users through a single exploitation. The EPSS score of less than 1% suggests that large‑scale automated attacks are unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. The most probable attack vector is a user or administrator interacting with the plugin’s form or settings interface, which stores unsanitized input. In the absence of additional mitigations, any visitor who loads the stored data after injection can be affected.

Generated by OpenCVE AI on April 30, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Easy PayPal Buy Now Button to the latest vendor release (any version newer than 2.0) to remove the stored XSS flaw.
  • If an immediate update is not possible, delete or disable the plugin from the WordPress installation to eliminate the attack surface.
  • Keep WordPress core and all other plugins up to date to reduce the overall risk of injection and other vectors.

Generated by OpenCVE AI on April 30, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13760 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Easy PayPal Buy Now Button allows Stored XSS. This issue affects Easy PayPal Buy Now Button: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Easy PayPal Buy Now Button allows Stored XSS. This issue affects Easy PayPal Buy Now Button: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Easy PayPal Buy Now Button wp-ecommerce-paypal allows Stored XSS.This issue affects Easy PayPal Buy Now Button: from n/a through <= 2.0.
Title WordPress Easy PayPal Buy Now Button <= 2.0 - Cross Site Scripting (XSS) Vulnerability WordPress Easy PayPal Buy Now Button plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

 epss

{'score': 0.00036}

Mon, 12 May 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wpplugin
Wpplugin easy Paypal \& Stripe Buy Now Button
CPEs cpe:2.3:a:wpplugin:easy_paypal_\&_stripe_buy_now_button:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpplugin
Wpplugin easy Paypal \& Stripe Buy Now Button

Thu, 08 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Easy PayPal Buy Now Button allows Stored XSS. This issue affects Easy PayPal Buy Now Button: from n/a through 2.0.
Title WordPress Easy PayPal Buy Now Button <= 2.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpplugin Easy Paypal \& Stripe Buy Now Button
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:47.462Z

Reserved: 2025-05-07T10:44:40.884Z

Link: CVE-2025-47623

cve-icon Vulnrichment

Updated: 2025-05-08T15:34:51.131Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:15.430

Modified: 2026-04-23T15:30:37.717

Link: CVE-2025-47623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:30:15Z

Weaknesses