- Published on
-
Feb 10, 2023
- Research Description
-
Quick Paypal Payments [quick-paypal-payments] < 5.7.26
Quick Paypal Payments <= 5.7.25 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Quick Paypal Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings through several parameters (blurb, comboboxword, comboboxlabel, shortcodeamount, postagepercent, postagefixed, couponref, couponbutton, minamount, recurringhowmany, Dperiod, Wperiod, Mperiod, Yperiod, every, quantitymaxblurb, min, max, initial, step) in versions up to, and including, 5.7.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Affected versions
-
max 5.7.26.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| New vulnerability |
|
Ivory Search – WordPress Search Plugin
(2427187f78f0cce23c52cabddb6a79e5816f0ef4)
, Jun 16, 2026
|
|
Ivory Search – WordPress Search Plugin
(33fe51097267191ced2251c46ec03e986ca8cd29)
, Jun 16, 2026
|
|
Ivory Search – WordPress Search Plugin
(2e31275da5e5f6960dafe613ce8416ccd9d3ae32)
, Jun 16, 2026
|
|
Ivory Search – WordPress Search Plugin
(0262969171706d2e0a213940a438c6706b666e71)
, Jun 16, 2026
|
|
Membership Plugin – Restrict Content
(35996c26d39e9adbf33cf8c16f28fb76b822949e)
, Jun 16, 2026
|