CVE-2021-24570

CWE-79 — Cross-site Scripting (XSS)CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 56.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Accept Donations With Paypal Wpplugin Accept Donations With Paypal

Timeline

PublishedNov 1

Latest updateMay 24

Description

The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDwpplugin/accept_donations_with_paypal< 1.3.1

▶CVEListV5unknown/accept_donations_with_paypal1.3.1 — 1.3.1

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-8825-wr78-6h2r: The Accept Donations with PayPal WordPress plugin before 1↗2022-05-24

▶

CVEList

Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting↗2021-11-01

▶