CVE-2026-3617

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The swer paypal shortcode() function extracts shortcode attributes using extract() and shortcode atts() at line 89, then directly concatenates the $name and $amount values into HTML input element value attributes at lines 105-106 without applying esc attr() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.