Login Sign Up

CVE-2025-1689

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

The ThemeMakers PayPal Express Checkout plugin for WordPress versions up to 1.1.9 contains a stored cross-site scripting vulnerability in the 'paypal' shortcode. Authenticated attackers with contributor-level permissions or higher can inject malicious scripts that execute when users view compromised pages. This affects WordPress sites using the vulnerable plugin.

💻 Affected Systems

Products:
  • ThemeMakers PayPal Express Checkout WordPress Plugin
Versions: Up to and including version 1.1.9
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled. Contributor-level or higher user accounts are needed for exploitation.

📦 What is this software?

Paypal Checkout by Thememakers

View all CVEs affecting Paypal Checkout →

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with contributor privileges or higher. The vulnerability is in a publicly available WordPress plugin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.1.9

Vendor Advisory: https://github.com/ThemeMakers/tmm_paypal_checkout/commit/d6d3b1877ed705ac171cf7e74a6e866fc135ba22

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'PayPal Express Checkout' plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from GitHub and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate tmm_paypal_checkout

Restrict User Roles

all

Limit contributor-level access to trusted users only

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Remove 'paypal' shortcode usage from all posts and pages

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → PayPal Express Checkout → Version number. If version is 1.1.9 or lower, system is vulnerable.

Check Version:

wp plugin get tmm_paypal_checkout --field=version

Verify Fix Applied:

After update, verify plugin version is higher than 1.1.9. Test 'paypal' shortcode with script payloads to confirm sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to wp-admin with script tags in parameters
  • Multiple page edits by contributor-level users

Network Indicators:

  • Unexpected script tags in HTTP responses containing 'paypal' shortcode

SIEM Query:

source="wordpress.log" AND ("paypal" AND "<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-1689
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.08% exploit probability (22.7th percentile)
Published: February 27, 2025
Last Updated: March 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1689, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)