WWordPress Vulnerability Database

Hong Kong NGO Advisory PayPal Donations XSS(CVE202557891)

WordPress Recurring PayPal Donations Plugin
0
Shares
0
0
0
0
Plugin Name Recurring PayPal Donations
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-57891
Urgency Low
CVE Publish Date 2025-08-22
Source URL CVE-2025-57891

Vulnerability Advisory — Recurring PayPal Donations Plugin (≤ 1.8): Cross‑Site Scripting (XSS) — CVE‑2025‑57891

Published: 22 August 2025
Reported: 15 July 2025 (researcher: Nabil Irawan)
Severity: Low (CVSS 5.9)
Required privilege to trigger: Administrator
Fixed in: 1.9

This advisory explains a stored Cross‑Site Scripting (XSS) vulnerability affecting versions 1.8 and earlier of the “Recurring PayPal Donations” WordPress plugin (CVE‑2025‑57891). It is written from the perspective of a Hong Kong security expert and targets site administrators, developers and incident responders: how the issue works, how to detect exploitation, immediate mitigations you can apply, and secure coding fixes plugin authors should implement.

Executive summary

  • What happened: A stored XSS vulnerability was found in Recurring PayPal Donations (≤ 1.8). Administrator‑entered content is stored and later rendered without sufficient escaping or filtering, allowing injected HTML/JavaScript to run in the context of visitors and administrators.
  • Risk: Low (CVSS 5.9) — exploitation requires Administrator privileges to insert payloads. Nonetheless, XSS can lead to session theft, redirecting donations, defacement, or client‑side payload delivery.
  • Immediate fix: Upgrade the plugin to version 1.9 (or later) which includes the security fix.
  • Interim mitigations: If updating is not immediately possible, apply targeted mitigations: virtual patching with a WAF, strict Content Security Policy (CSP) headers, sanitise stored data via maintenance scripts, and reduce admin exposure (IP restrictions, MFA).

How this XSS works — technical overview

Analysis shows the issue is a stored XSS originating from admin‑entered content that is later output without proper escaping. Common affected fields in donation plugins include donation descriptions, thank‑you messages, receipt templates, or custom HTML fields. If these values are stored and printed using raw echo/print without esc_html(), esc_attr(), wp_kses() or equivalent, injected scripts will execute in the browser of any visitor who views the affected output.

Because the attacker must have Administrator privileges to save the content, this is not an unauthenticated remote RCE. However, stolen or compromised admin accounts, rogue insiders, or insecure developer credentials can be used to plant persistent payloads that then affect site visitors and other administrators.

Key indicators:

  • The plugin stores user content (options or postmeta) and later outputs it without escaping.
  • The plugin accepts input fields where HTML is permitted and does not apply sanitisation on save or escaping on render.

Reproduction (high level)

Exploit code is not published here. High‑level reproduction steps an administrator could follow:

  1. Log in to WP Admin as an Administrator.
  2. Open the Recurring PayPal Donations plugin settings or UI that accepts free text/custom messages.
  3. Enter HTML/JavaScript into a field that persists (e.g., donation message, thank you page content).
  4. Save settings; the content is stored in options/postmeta.
  5. A visitor or another admin views the frontend or plugin preview where the content is rendered; the malicious script executes.

The payload persists until removed, potentially affecting multiple visitors and admins.

Immediate actions for site administrators (priority order)

  1. Upgrade to plugin version 1.9 or later.
    This is the definitive fix from the plugin author. Schedule and perform the update during an appropriate maintenance window.
  2. If you cannot update immediately, apply temporary mitigations:

    • Deploy a targeted WAF rule (virtual patch) to block common XSS payloads against the plugin’s admin endpoints.
    • Restrict wp‑admin and plugin settings pages by IP or require VPN access where feasible.
    • Enforce strong admin account hygiene: rotate admin passwords, enable multi‑factor authentication, and audit admin users for unknown accounts.
    • Add a strict Content Security Policy (CSP) to reduce impact of inline scripts (test thoroughly to avoid breaking functionality). Example minimal header:
      Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.paypal.com; object-src 'none'; base-uri 'self';
  3. Search for and remove malicious stored content:

    • Scan options and postmeta for