CVE-2024-6021 in Donation Block for PayPal Plugininfo

Summary

by MITRE • 07/30/2024

The Donation Block For PayPal WordPress plugin through 2.1.0 does not sanitise and escape form submissions, leading to a stored cross-site scripting vulnerability

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/31/2025

The Donation Block For PayPal WordPress plugin version 2.1.0 and earlier contains a critical stored cross-site scripting vulnerability that arises from insufficient sanitization and escaping of form submissions. This vulnerability allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into the plugin's form handling functionality, which are then stored on the server and executed when other users view the affected pages. The flaw exists in the plugin's processing of user input through donation form submissions, where data is not properly validated or escaped before being stored in the database and subsequently rendered in web pages without adequate context-specific escaping mechanisms.

The technical implementation of this vulnerability stems from the plugin's failure to apply proper input sanitization techniques and output escaping practices as defined by web application security standards. According to CWE-79, the vulnerability represents a classic stored cross-site scripting flaw where malicious input is permanently stored on the server and later executed in the context of other users' browsers. The vulnerability affects the plugin's form handling logic where user-provided data from donation fields is directly stored without proper sanitization, creating an attack surface that can be exploited by malicious actors to execute arbitrary JavaScript code in the browsers of unsuspecting users.

The operational impact of this vulnerability extends beyond simple script execution as it can be leveraged to perform various malicious activities including session hijacking, credential theft, redirection to malicious sites, and data exfiltration from authenticated user sessions. Attackers can craft malicious payloads that persist in the plugin's form submissions and execute whenever administrators or other users view the donation form pages. This stored nature of the vulnerability means that the malicious scripts remain active even after the initial injection, potentially allowing attackers to maintain persistent access or conduct extended campaigns against the targeted WordPress installation. The vulnerability is particularly concerning for WordPress sites that rely on contributor-level user accounts for content management, as these users can potentially exploit the flaw without requiring administrator privileges.

Mitigation strategies for this vulnerability should focus on immediate patching of the plugin to version 2.1.1 or later, which contains the necessary sanitization and escaping fixes. Organizations should also implement additional security measures including input validation at multiple layers, output escaping for all dynamic content, and regular security audits of WordPress plugins and themes. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through malicious content and T1059.001 for command and control through script injection. Administrators should also consider implementing web application firewalls, monitoring for suspicious form submissions, and conducting regular penetration testing to identify similar vulnerabilities in other plugins or custom code. The remediation process should include thorough testing of the patched plugin to ensure that legitimate functionality remains intact while the XSS vulnerability is fully addressed.

Responsible

WPScan

Reservation

06/14/2024

Disclosure

07/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00421

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!