CVE-2025-11859 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Paypal Donation Shortcode plugin for WordPress, developed by coenjacobs. This vulnerability affects all versions up to and including 0.1. The root cause is the plugin's failure to properly sanitize and neutralize user-supplied input in the 'title' and 'text' parameters of the 'paypal' shortcode during web page generation. Because these inputs are stored and later rendered on pages, an authenticated attacker with contributor-level privileges or higher can inject arbitrary JavaScript code. This malicious code executes in the context of any user who accesses the infected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability requires authentication but no additional user interaction to trigger the payload once injected. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impacts. The scope is changed due to the potential for cross-user impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks in web applications.

The primary impact of CVE-2025-11859 is the compromise of confidentiality and integrity within affected WordPress sites using the Paypal Donation Shortcode plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed with elevated privileges, defacement, or distribution of malware. Although availability is not directly impacted, the trustworthiness and security posture of the affected website can be severely undermined. For organizations relying on this plugin, especially those handling donations or financial transactions, the risk includes reputational damage, loss of donor trust, and potential regulatory consequences if user data is compromised. The attack requires authenticated access, which limits exposure to some extent, but contributor-level permissions are common in collaborative WordPress environments, increasing the risk. The vulnerability's network-based exploitation and lack of user interaction for payload execution further raise the threat level. Given the widespread use of WordPress globally and the popularity of donation plugins, many organizations could be affected if they do not update or mitigate this vulnerability.

To mitigate CVE-2025-11859, organizations should immediately upgrade the Paypal Donation Shortcode plugin to a version that addresses the vulnerability once available. In the absence of an official patch, administrators should implement strict input validation and output encoding for the 'title' and 'text' parameters within the shortcode, ensuring all user-supplied data is sanitized to neutralize scripts. Restrict contributor-level access to trusted users only and audit existing content for injected scripts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameters. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly monitor logs for unusual activity indicative of exploitation attempts. Educate content contributors about the risks of injecting untrusted content. Finally, consider disabling or replacing the vulnerable plugin with a more secure alternative if immediate patching is not feasible.