CVE-2024-3065 in PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode Plugin
Summary
by MITRE • 05/23/2024
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/26/2026
The vulnerability in the PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode plugin for WordPress represents a critical stored cross-site scripting flaw that undermines the security posture of affected installations. This vulnerability exists in all versions up to and including 1.7, where the plugin fails to properly sanitize user inputs and escape output when processing admin settings. The flaw specifically targets the plugin's handling of administrative configurations, creating a persistent vector for malicious code injection that can affect all users who access compromised pages.
The technical implementation of this vulnerability stems from inadequate input validation mechanisms within the plugin's administrative interface. When administrators configure the plugin settings, the system does not sufficiently sanitize the data entered into various fields, particularly those related to button configurations and shortcode parameters. This insufficient sanitization combined with inadequate output escaping creates a condition where malicious scripts can be stored within the plugin's configuration data and subsequently executed whenever affected pages are rendered. The vulnerability operates at the administrative level, requiring attackers to possess administrator-level permissions or higher, which significantly reduces the attack surface but does not eliminate the risk entirely.
The operational impact of this vulnerability extends beyond simple script execution to potentially enable more sophisticated attacks within the compromised WordPress environment. Attackers with administrative access can inject malicious JavaScript code that could perform actions such as stealing administrator session cookies, modifying plugin configurations, or redirecting users to malicious sites. The stored nature of the vulnerability means that once injected, the malicious code persists until manually removed by an administrator, creating a long-term threat vector. The restriction to multi-site installations and environments where unfiltered_html has been disabled suggests that the vulnerability is particularly concerning in shared hosting environments or managed WordPress installations where security controls are already in place.
This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications, and demonstrates how inadequate input sanitization can create persistent security risks. The ATT&CK framework categorizes this type of vulnerability under T1190 - Exploit Public-Facing Application, as it represents an attack vector that leverages administrative interfaces to establish persistent malicious presence. The fact that this affects multi-site installations indicates that the vulnerability has implications for WordPress multisite configurations, where the compromise of one site could potentially affect the entire network. Organizations should consider implementing additional monitoring for administrative activities, as the injection of malicious scripts would likely generate unusual patterns in plugin configuration changes.
The mitigation strategy for this vulnerability requires immediate action including updating to the latest plugin version where the vulnerability has been patched. Administrators should also review existing plugin configurations for any signs of malicious code injection and implement stricter input validation policies. Additionally, organizations should consider implementing web application firewalls to detect and prevent malicious script injection attempts, while maintaining regular security audits of plugin configurations to identify potential compromise indicators. The vulnerability highlights the importance of proper input sanitization and output escaping practices in web application development, particularly within administrative interfaces where privileged access can enable more severe security consequences.