VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 21, 2024· Updated Aug 1, 2024

PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Contributor+ Stored XSS

CVE-2024-5448

Description

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 is vulnerable to stored XSS via unsanitized shortcode attributes, allowing contributor-level users to inject malicious scripts.

Vulnerability

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through version 1.7 fails to validate and escape shortcode attributes before outputting them in a page or post. This allows users with the contributor role and above, who have the ability to insert shortcodes, to inject arbitrary HTML and JavaScript [1].

Exploitation

An attacker with at least the contributor role can craft a shortcode (e.g., [paypal]) with a malicious attribute value containing JavaScript. When the shortcode is rendered on the frontend, the script executes in the browsers of visitors viewing the page or post [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can result in data theft, session hijacking, or defacement [1].

Mitigation

As of the publication date, no fix has been released. The affected version is 1.7 and earlier. Users are advised to restrict the contributor role's ability to use shortcodes or to disable the plugin until a patch is available [1].

References
  1. PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Contributor+ Stored XSS

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.