Attack Vectors

WordPress PayPal Donation (slug: wordpress-paypal-donation) has a Medium-severity stored cross-site scripting (XSS) vulnerability (CVSS 6.4) tracked as CVE-2026-4072. The issue affects all versions up to and including 1.01.

The attack requires an authenticated WordPress account with at least Contributor permissions (or higher). An attacker can place a malicious payload into the plugin’s donate shortcode attributes—most notably the amount attribute, but also attributes such as email, title, return_url, cancel_url, ccode, and image.

Because the payload can be stored in content (e.g., a post or page containing the shortcode), it may execute later when another user views the affected page—often targeting higher-privilege users who review or publish content.

Security Weakness

This vulnerability is caused by insufficient input sanitization and output escaping when user-supplied shortcode attributes are processed and then placed into HTML output. In practical business terms, this means the plugin may accept untrusted values and render them in a way that allows scripted content to run in a visitor’s browser.

According to the published advisory, the plugin’s shortcode handling uses attribute extraction and then directly inserts those values into HTML attribute contexts without appropriate escaping, enabling stored (persistent) XSS rather than a one-time (reflected) attack.

There is currently no known patch available. The source advisory recommends reviewing the risk and applying mitigations, and notes that uninstalling the affected software and replacing it may be the safest approach. Reference: Wordfence vulnerability record.

Technical or Business Impacts

Stored XSS is often a “silent” brand and revenue risk because it can run in the context of your real website and trusted domain. For organizations using donation pages, the impact can extend beyond IT into marketing performance, conversion rates, and trust.

Potential business impacts include: compromised visitor trust (defacement, pop-ups, malicious redirects), reputational damage if donors are exposed to scams, and increased support burden from users reporting suspicious behavior. If an attacker targets internal staff or administrators, XSS can also enable session theft or unauthorized actions performed in the victim’s browser, potentially leading to broader site compromise.

Operational and compliance impacts: security incidents involving user exposure or unauthorized site changes can trigger incident response costs, reporting obligations depending on your jurisdiction and data involved, and disruption to active campaigns—especially if donation flows must be paused while the issue is contained.

Recommended mitigations given “no patch available”: consider uninstalling and replacing WordPress PayPal Donation immediately. If removal is not immediately possible, reduce exposure by limiting who can create or edit content that contains shortcodes, reviewing existing posts/pages for the plugin’s donate shortcode, and tightening role permissions (especially for Contributor accounts). Where feasible, implement compensating controls such as a web application firewall (WAF) and stronger change-control around content publishing.

Similar attacks (real examples): Stored XSS has a long track record of being used for account takeover and large-scale abuse. Examples include the WordPress core stored XSS fixed in 2019 (CVE-2019-9787) and the widely documented “Samy” worm that spread via XSS on MySpace (case summary).