CVE-2025-27003

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the fullworks Quick Paypal Payments plugin for WordPress, affecting versions from n/a through 5.7.46. The issue stems from insufficient validation of request origins, allowing an attacker to craft malicious requests that are executed under the authentication of a higher-privileged user [1].

Exploitation

Details

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into clicking a malicious link, visiting a crafted page, or submitting a specially designed form. No authentication. No direct network access to the target site is required beyond the ability to deliver the crafted payload to the victim user [1].

Impact

Successful exploitation could allow an attacker to force the victim to perform unintended actions within the plugin's context, such as changing settings or initiating payments, under the victim's current session and privileges. The CVSS v3 base score is 4.3 indicates a medium severity, with low impact to confidentiality, integrity, and availability [1].

Mitigation

The vendor has released version 5.7.47 which addresses the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].