CVE-2025-13966 identifies a stored cross-site scripting (XSS) vulnerability in the Paypal Payment Shortcode plugin for WordPress, specifically affecting all versions up to and including 1.01. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the 'buttom_image' parameter of the [paypal-shortcode] shortcode is not adequately sanitized or escaped before rendering. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level, with an attack vector over the network, low complexity, and no user interaction required. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The impact affects confidentiality and integrity partially but does not impact availability. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on December 12, 2025, and assigned by Wordfence. Given the widespread use of WordPress and the popularity of payment-related plugins, this vulnerability poses a notable risk to websites using this specific plugin version.

The primary impact of CVE-2025-13966 is the potential for attackers with Contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the context of other users' browsers. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. While availability is not affected, the confidentiality and integrity of user data and site content can be compromised. Organizations relying on the Paypal Payment Shortcode plugin may face reputational damage, loss of user trust, and potential regulatory consequences if sensitive user information is exposed. Since exploitation requires authenticated access, the risk is higher in environments with multiple contributors or where account compromise is possible. The vulnerability could also be leveraged as part of a broader attack chain to escalate privileges or implant further malware. Given WordPress’s extensive global usage, the threat has a broad potential impact, especially for e-commerce and payment processing sites using this plugin.

To mitigate CVE-2025-13966, organizations should immediately update the Paypal Payment Shortcode plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only and audit existing content for injected scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script payloads targeting the 'buttom_image' parameter can reduce risk. Additionally, applying Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script execution sources. Regularly scanning WordPress installations with security plugins that detect XSS and other injection flaws is recommended. Developers maintaining the plugin should ensure proper input validation and output encoding for all shortcode parameters. Finally, educating content contributors about safe input practices and monitoring user activity logs can help detect and prevent exploitation attempts.