WordPress Plugin Vulnerabilities

Accept Donations with PayPal < 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Description

The Accept Donations with PayPal & Stripe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing or incorrect nonce validation on the render() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
easy-paypal-donation
Fixed in 1.5

References

CVE
CVE-2025-47517
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6b75ffbe-ef47-4f37-811d-2d501c22b56d

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
567568ed-fa4f-48d2-a2e3-491bca58d488

Timeline

Publicly Published
2025-05-07 (about 1 year ago)
Added
2025-05-12 (about 1 year ago)
Last Updated
2025-05-12 (about 1 year ago)

Other

Published
Title
Published
2025-03-04
Title
I Am Gloria <= 1.1.4 - Cross-Site Request Forgery
Published
2025-01-16
Title
Comment-Emailer <= 1.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-08-16
Title
Multiple Plugins - CSRF Bypass
Published
2023-11-23
Title
Taxonomy filter < 2.2.10 - Settings Update via CSRF
Published
2025-03-11
Title
Plugins Last Updated Column < 0.1.4 - Cache Clear via CSRF