CVE-2024-5447

Published Jun 21, 2024

Last updated 2 years ago

CVSS medium 4.8
WordPress

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-5447 is a vulnerability found in the PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin, specifically in versions up to 1.7. It's a Cross-Site Scripting (XSS) vulnerability, categorized as CWE-79. The vulnerability exists because the plugin doesn't properly sanitize and escape some of its settings. This allows high-privilege users, such as administrators, to inject malicious scripts into the website settings, leading to stored XSS attacks. These injected scripts can then be executed in the context of other users who visit the affected pages, potentially leading to data theft or other malicious activities.

Description
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Source
contact@wpscan.com
NVD status
Modified
Products
paypal_pay_now\,_buy_now\,_donation_and_cart_buttons_shortcode

Risk scores

CVSS 3.1

Type
Primary
Base score
4.8
Impact score
2.7
Exploitability score
1.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-79

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2024-5447

    @transilienceai

    2 Apr 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Looking for some Friday/Weekend reading? Just published a new (guest) blog post by Noah Gregory (@wtsdev), that dives into the technical details of a neat bug (CVE-2024-5447) he uncovered on macOS ๐ŸŽ๐Ÿ› Read: "Leaking Passwords (and more!) on macOS": https://t.co/NoV7Fw8ZJU

    @objective_see

    21 Mar 2025

    5224 Impressions

    14 Retweets

    52 Likes

    18 Bookmarks

    0 Replies

    2 Quotes

Configurations

Related CVEs

  1. The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.โ€ขCVE-2026-2486
  2. WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.โ€ขCVE-2026-26370
  3. The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.โ€ขCVE-2025-67846
  4. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.โ€ขCVE-2025-9501
  5. The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.โ€ขCVE-2025-8085

References

Sources include official advisories and independent security research.