Paypal Donation < 1.3.2 – Admin+ Stored Cross-Site Scripting | CVE 2021-24815 | Plugin Vulnerabilities

Description

The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e=

The XSS will trigger when editing the affected Button

Affects Plugins

easy-paypal-donation

Fixed in 1.3.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

08f4ebf5-6bbe-4fb0-a9d2-c8a994afe39b

Timeline

Publicly Published

2021-10-18 (about 4 years ago)

Added

2021-10-18 (about 4 years ago)

Last Updated

2022-04-14 (about 3 years ago)

Other

Published

Title

Published

2025-04-04

Title

Rollbar < 3.0.0 - Cross-Site Request Forgery

Published

2025-07-26

Title

Memory Usage < 3.99 - Cross-Site Request Forgery to Limited Plugin Installation via wpmemory_install_plugin Function

Published

2023-05-31

Title

TS Webfonts for さくらのレンタルサーバ < 3.1.3 - Font Type Settings Change via CSRF

Published

2025-11-20

Title

Custom Post Type <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion

Published

2024-02-27

Title

Easy PayPal & Stripe Buy Now Button <= 1.8.3 & Contact Form 7 – PayPal & Stripe Add-on <= 2.1 - Cross-Site Request Forgery to Settings Update