CVE-2026-4072

Name of the Vulnerable Software and Affected Versions WordPress PayPal Donation plugin versions prior to 1.02

Description The WordPress PayPal Donation plugin is susceptible to Stored Cross-Site Scripting through the 'donate' shortcode. This is caused by inadequate input sanitization and output escaping of user-supplied shortcode attributes, including amount, email, title, return url, cancel url, ccode, and image. The wordpress paypal donation create() function utilizes extract(shortcode atts(...)) to process shortcode attributes and directly incorporates these values into HTML output without proper escaping. This allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages, which will execute when a user accesses the affected page.

Recommendations Update the WordPress PayPal Donation plugin to version 1.02 or later.