CVE-2025-7669

Vulnerability

Details

The Avishi WP PayPal Payment Button plugin for WordPress versions 2.0 and earlier is vulnerable to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the plugin's admin page (avishi-wp-paypal-payment-button/index.php). This allows an unauthenticated attacker to perform unauthorized actions on behalf of a site administrator.

Exploitation

The vulnerability can be exploited by tricking a logged-in administrator into visiting a crafted link. No authentication is required from the attacker's side. This is a classic CSRF attack vector, where the attacker can force the administrator to unknowingly submit a request to the plugin's settings page.

Impact

A successful exploit enables the attacker to modify plugin settings and, critically, inject malicious web scripts. This can lead to stored cross-site scripting (XSS) if the injected scripts are output on admin-facing pages, potentially compromising the site's security.

Mitigation

The plugin has been closed as of July 17, 2025, and is no longer available for download due to this security issue [1]. As no patch is available, users are strongly advised to remove the plugin from their WordPress installations.