CVE-2023-5665 in Payment Forms for Paystack Plugininfo

Summary

by MITRE • 02/08/2024

The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-32130 is likely a duplicate of this issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The Payment Forms for Paystack plugin for WordPress represents a critical security vulnerability classified as stored cross-site scripting in versions up to and including 3.4.1. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating a persistent security risk that affects WordPress environments utilizing this payment processing solution. The flaw specifically targets user-supplied attributes within shortcode parameters, allowing malicious actors to inject malicious scripts that execute in the context of other users' browsers when they access pages containing the compromised content.

The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are not properly sanitized before being processed and rendered within WordPress pages. When authenticated attackers with contributor-level permissions or higher submit malicious input through these vulnerable attributes, the plugin fails to adequately validate or escape the user-supplied data before storing it in the database. This stored data then gets executed whenever legitimate users access pages containing the compromised shortcodes, creating a persistent XSS attack vector that can affect any user who views the infected content. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws where insufficient input validation allows malicious scripts to be executed in the browser of unsuspecting users.

The operational impact of this vulnerability extends beyond simple script injection, as it enables attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and potential privilege escalation within the WordPress environment. Contributors and higher-level users who have the ability to insert or modify content through shortcodes become potential attack vectors, as they can inject scripts that execute in the contexts of other users with varying permission levels. This creates a significant risk for organizations that rely on contributor roles for content management, as these users may inadvertently or maliciously introduce persistent XSS payloads that can compromise the entire WordPress installation. The vulnerability also aligns with ATT&CK technique T1566.001 for credential access through social engineering and T1547.001 for privilege escalation through malicious script execution.

Mitigation strategies for this vulnerability require immediate patching of the Payment Forms for Paystack plugin to version 3.4.2 or later, which addresses the input sanitization and output escaping deficiencies. System administrators should implement additional defensive measures including role-based access control restrictions, content review processes, and monitoring of shortcode usage within WordPress environments. The implementation of Content Security Policy headers can provide additional protection against XSS attacks by restricting script execution contexts, while regular security audits of plugin installations should include verification of input sanitization practices and output escaping mechanisms. Organizations should also consider implementing web application firewalls to detect and block suspicious shortcode parameter inputs, and establish incident response procedures for identifying and removing malicious scripts that may have already been injected into the system. Regular security assessments and vulnerability scanning should be conducted to ensure that all plugins maintain proper input validation and output escaping practices to prevent similar vulnerabilities from emerging in the future.

Reservation

10/19/2023

Disclosure

02/08/2024

Moderation

accepted

CPE

ready

EPSS

0.00525

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!