CVE-2025-13966
📋 TL;DR
The PayPal Payment Shortcode WordPress plugin (versions up to 1.01) has a stored XSS vulnerability in the 'buttom_image' parameter. Authenticated attackers with Contributor access or higher can inject malicious scripts that execute when users view compromised pages. This affects all WordPress sites using the vulnerable plugin version.
💻 Affected Systems
- PayPal Payment Shortcode WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal session cookies or redirect users to phishing pages.
If Mitigated
With proper user role management and content review, impact is limited to potential defacement of specific pages.
🎯 Exploit Status
Exploitation requires authenticated access with at least Contributor privileges. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Remove the PayPal Payment Shortcode plugin completely. 2. Replace with an alternative PayPal integration solution. 3. Review and clean any posts/pages using the [paypal-shortcode] shortcode.
🔧 Temporary Workarounds
Disable Contributor Role
allTemporarily disable or restrict the Contributor role to prevent exploitation
Input Validation Filter
allAdd custom WordPress filter to sanitize 'buttom_image' parameter
add_filter('pre_shortcode_atts', 'sanitize_paypal_shortcode', 10, 2); function sanitize_paypal_shortcode($out, $pairs) { if(isset($out['buttom_image'])) { $out['buttom_image'] = esc_url($out['buttom_image']); } return $out; }
🧯 If You Can't Patch
- Remove plugin immediately and use alternative PayPal integration
- Implement strict user role management and audit all contributor content
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > PayPal Payment Shortcode. If version is 1.01 or lower, you are vulnerable.Check Version:
wp plugin list --name='paypal-payments-shortcode' --field=versionVerify Fix Applied:
Verify plugin is removed from WordPress installation and no [paypal-shortcode] shortcodes remain in posts/pages.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with buttom_image parameter containing script tags
- Multiple page edits by contributor users
Network Indicators:
- External script loads from unexpected domains in page responses
SIEM Query:
source="wordpress.log" AND "buttom_image" AND ("<script" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/tags/1.01/sls-paypal-payments-shortcode.php#L10
- https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/tags/1.01/sls-paypal-payments-shortcode.php#L55
- https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/trunk/sls-paypal-payments-shortcode.php#L10
- https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/trunk/sls-paypal-payments-shortcode.php#L55
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b0b1fbb1-fc2c-4eb9-89c6-364ca8c385db?source=cve
