CVE-2026-4072 in WordPress PayPal Donation Plugin
Summary
by MITRE • 03/21/2026
The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amount', 'email', 'title', 'return_url', 'cancel_url', 'ccode', and 'image'. The wordpress_paypal_donation_create() function uses extract(shortcode_atts(...)) to process shortcode attributes and then directly interpolates these values into HTML output within single-quoted attribute values without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-4072 affects the WordPress PayPal Donation plugin, representing a critical stored cross-site scripting weakness that undermines the security integrity of WordPress installations. This flaw exists in all versions up to and including 1.01, making it a widespread concern for WordPress users who rely on this plugin for donation processing. The vulnerability stems from inadequate input validation and output sanitization mechanisms within the plugin's core functionality, specifically targeting the shortcode attribute handling system that processes user-supplied data for donation forms.
The technical implementation of this vulnerability occurs within the wordpress_paypal_donation_create() function where the extract() PHP function is employed to process shortcode attributes obtained through shortcode_atts(). This approach creates a dangerous situation where user-provided parameters such as 'amount', 'email', 'title', 'return_url', 'cancel_url', 'ccode', and 'image' are directly incorporated into HTML output without proper sanitization. The use of single-quoted attribute values in the generated HTML code further compounds the issue, as these values are interpolated directly without appropriate escaping mechanisms. This design flaw allows attackers to inject malicious JavaScript payloads that persist in the system and execute whenever affected pages are accessed.
The operational impact of this vulnerability extends beyond simple data corruption or theft, as it creates a persistent threat vector that can affect multiple users within a WordPress environment. Attackers with Contributor-level access or higher can exploit this weakness to inject malicious scripts that will execute in the context of any user who visits a page containing the vulnerable shortcode. This stored XSS vulnerability enables attackers to perform various malicious activities including session hijacking, credential theft, redirection to malicious sites, and potential privilege escalation within the WordPress environment. The vulnerability is particularly concerning because it requires minimal privileges to exploit and can affect users across different permission levels, making it a significant threat to WordPress site security.
Security practitioners should recognize this vulnerability as a direct violation of established security principles and best practices, aligning with CWE-79 (Cross-site Scripting) and representing a clear example of insufficient output escaping. The ATT&CK framework categorizes this vulnerability under T1566 (Phishing) and T1059 (Command and Scripting Interpreter) as attackers can leverage the stored XSS to redirect users to malicious sites or execute arbitrary commands. Mitigation strategies should include immediate plugin updates to versions that properly sanitize input parameters and implement proper output escaping mechanisms. Organizations should also consider implementing additional security measures such as Content Security Policy headers, regular security audits of installed plugins, and monitoring for suspicious shortcode usage patterns. The vulnerability demonstrates the critical importance of proper input validation and output sanitization in web applications, particularly those handling user-generated content within WordPress environments where plugins can significantly expand attack surface areas.