CVE-2021-24570

Name of the Vulnerable Software and Affected Versions Accept Donations with PayPal WordPress plugin versions prior to 1.3.1

Description The issue is related to a lack of CSRF check in the process of creating new donation buttons, which are internally treated as posts. This allows an attacker to make an authenticated admin create a new button. Additionally, there is a Stored Cross-Site Scripting issue due to a Button field not being properly escaped before being output in an attribute when editing a Button.

Recommendations For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the donation button creation feature to minimize the risk of exploitation.