CVE-2024-5447 in PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode Plugin
Summary
by MITRE • 06/21/2024
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2025
The vulnerability identified as CVE-2024-5447 affects the PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin version 1.7 and earlier. This issue represents a critical security flaw that undermines the plugin's ability to properly handle user input, creating an avenue for malicious actors to exploit stored cross-site scripting vulnerabilities. The vulnerability specifically targets the plugin's handling of settings parameters that fail to undergo proper sanitization and escaping processes, creating a persistent security risk within WordPress environments.
The technical flaw manifests in the plugin's insufficient input validation and output escaping mechanisms. When administrators or other high-privilege users configure the plugin settings, the data entered is not properly sanitized before being stored in the database or rendered in the user interface. This failure creates a stored XSS vulnerability where malicious scripts can be injected into the plugin's configuration settings and subsequently executed whenever the affected pages are loaded. The vulnerability is particularly concerning because it operates even when the WordPress multisite environment has restricted the unfiltered_html capability, which typically prevents users from injecting raw HTML content.
The operational impact of this vulnerability extends beyond simple script execution, as it allows attackers with administrative privileges to manipulate the plugin's functionality and potentially escalate their access within the WordPress environment. The stored nature of the XSS means that the malicious code persists and executes automatically whenever affected pages are accessed, making it difficult to detect and remediate. Attackers can leverage this vulnerability to steal administrative credentials, modify plugin behavior, inject malicious content into user-facing pages, or even redirect users to malicious websites. The vulnerability affects all WordPress installations running the affected plugin version, regardless of whether the unfiltered_html capability is explicitly disabled.
This vulnerability aligns with CWE-79, which describes Cross-Site Scripting (XSS) flaws in web applications, and demonstrates how insufficient output escaping can lead to persistent security issues. From an ATT&CK perspective, this vulnerability maps to T1548.003, representing abuse of group policy or privilege escalation through the manipulation of application settings, and T1566.001, which covers spearphishing with malicious attachments or links. The exploitation of this vulnerability requires only administrative access to the WordPress site, making it particularly dangerous in environments where multiple administrators have access to the system. Organizations should immediately update to the patched version of the plugin or implement temporary mitigations such as restricting administrative privileges, monitoring plugin configuration changes, and implementing web application firewalls to detect and block potential XSS payloads. The vulnerability underscores the importance of proper input sanitization and output escaping in web applications, particularly in plugins that handle user configuration data and interface elements.