CVE-2026-3617

Name of the Vulnerable Software and Affected Versions Paypal Shortcode plugin for WordPress versions up to and including 0.3

Description The Paypal Shortcode plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'amount' and 'name' shortcode attributes. This is a result of inadequate input sanitization and output escaping of user-provided shortcode attributes. The swer paypal shortcode() function retrieves shortcode attributes using extract() and shortcode atts() and then directly incorporates the name and amount values into HTML input element value attributes without proper escaping. This allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages, which will execute when a user accesses the affected page. The vulnerable parameters are amount and name.

Recommendations Update the Paypal Shortcode plugin to a version beyond 0.3.