CVE-2024-5448 in PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode Plugin
Summary
by MITRE • 06/21/2024
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2025
The vulnerability identified as CVE-2024-5448 affects the PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin version 1.7 and earlier. This issue represents a critical security flaw that enables stored cross-site scripting attacks through improper input validation and output escaping mechanisms within the plugin's shortcode implementation. The vulnerability specifically targets the plugin's handling of shortcode attributes, which are parameters used to configure the display and functionality of PayPal buttons within WordPress content.
The technical flaw stems from the plugin's failure to properly sanitize and escape shortcode attributes before rendering them in HTML output contexts. When users with contributor roles and above embed the plugin's shortcodes in posts or pages, the system processes these attributes without adequate validation, creating an attack surface where malicious scripts can be injected and persisted within the WordPress environment. This stored XSS vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers who view pages containing the compromised shortcode content. The vulnerability is particularly concerning because it leverages the contributor role and above, which typically have limited capabilities but can now potentially execute arbitrary code through content they can create or modify.
From an operational impact perspective, this vulnerability exposes WordPress sites using the affected plugin to significant security risks including session hijacking, credential theft, and potential full site compromise. The stored nature of the XSS attack means that malicious payloads persist in the database and can affect multiple users over time, making detection and remediation more challenging. Attackers can craft malicious shortcode attributes that, when rendered on victim pages, execute scripts that steal cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. The vulnerability's impact extends beyond individual user sessions to potentially affect entire WordPress installations, especially when combined with other exploitation techniques or when the compromised site hosts sensitive user data.
Security professionals should immediately implement mitigations including updating to the latest plugin version where the vulnerability has been patched, implementing strict input validation for all shortcode parameters, and considering the use of Content Security Policy headers to limit script execution. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and maps to ATT&CK technique T1548.001 for privilege escalation through web shell deployment. Organizations should also conduct thorough security audits of all installed plugins to identify similar vulnerabilities and implement proper output escaping mechanisms. The incident underscores the critical importance of proper input validation in web applications and demonstrates how seemingly minor security oversights in plugin development can create significant attack vectors for sophisticated adversaries.