WordPress Plugin Vulnerabilities

Donation Block for PayPal <= 2.1.0 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape form submissions, leading to a stored cross-site scripting vulnerability

Proof of Concept

Affects Plugins

Plugin icon
donations-block
No known fix

References

CVE
CVE-2024-6021

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
9d83cffd-7dcd-4301-8d4d-3043b14e05b5

Timeline

Publicly Published
2024-07-09 (about 1 year ago)
Added
2024-07-09 (about 1 year ago)
Last Updated
2024-07-09 (about 1 year ago)

Other

Published
Title
Published
2024-10-14
Title
Country Flags for Elementor <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-24
Title
My Default Post Content <= 0.7.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-04-24
Title
GTDB Guitar Tuners <= 4.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-29
Title
Post Timeline < 2.3.10 - Reflected Cross-Site Scripting
Published
2025-03-27
Title
Ultimate Dashboard < 3.8.6 - Admin+ Stored XSS