PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Admin+ Stored XSS

Vulnerability

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through version 1.7 fails to sanitize and escape some of its settings. This allows high-privilege users (Admin) to perform Stored Cross-Site Scripting (XSS) attacks, even when the unfiltered_html capability is disallowed, such as in a multisite setup [1].

Exploitation

An attacker with Admin-level access to the WordPress site can inject malicious JavaScript into the unsanitized plugin settings. When the settings are saved, the payload is stored and executed in the context of any subsequent page load where those settings are rendered [1]. No additional user interaction is required beyond visiting the affected page.

Impact

Successful exploitation results in Stored XSS, enabling the attacker to execute arbitrary JavaScript in the browser of any user viewing the affected admin or front-end pages. This can lead to session hijacking, forced administrative actions, or defacement [1]. The attack bypasses typical unfiltered_html restrictions, making it especially dangerous in multisite environments where lower-privilege sites are managed.

Mitigation

As of the latest references, no fix has been released; the plugin remains vulnerable up to version 1.7. Administrators should disable or remove the plugin from affected sites until a patched version becomes available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication [1].