CVE-2025-68602 identifies an Open Redirect vulnerability in the 'Accept Donations with PayPal' WordPress plugin developed by Scott Paterson, specifically affecting versions up to and including 1.5.1. Open Redirect vulnerabilities occur when an application accepts a user-controlled input that specifies a URL to which the user is redirected after certain actions, without proper validation. In this case, the plugin improperly validates redirect URLs, allowing attackers to craft malicious links that appear to originate from a trusted donation page but redirect victims to untrusted, potentially malicious websites. This can be exploited in phishing campaigns where attackers lure users to click on seemingly legitimate donation links, only to redirect them to credential-harvesting or malware-hosting sites. The vulnerability requires no authentication (PR:N) but does require user interaction (UI:R) to follow the malicious link. The CVSS v3.1 base score is 6.1, reflecting medium severity, with impacts on confidentiality and integrity but no impact on availability. The scope is changed (S:C), indicating that exploitation could affect resources beyond the vulnerable component. No known exploits have been reported in the wild yet, but the presence of this vulnerability in a widely used donation plugin poses a significant risk, especially for organizations relying on PayPal donation workflows. The lack of an official patch link suggests that mitigation currently relies on workarounds or monitoring until a fix is released.

For European organizations, especially non-profits, charities, and small to medium enterprises using the 'Accept Donations with PayPal' plugin, this vulnerability increases the risk of successful phishing attacks targeting their donors and users. Attackers can exploit the open redirect to impersonate legitimate donation pages, potentially stealing sensitive information such as login credentials or payment details. This undermines user trust and can lead to reputational damage, financial loss, and regulatory scrutiny under GDPR if personal data is compromised. Additionally, phishing campaigns leveraging this vulnerability could be used as a vector for broader social engineering attacks against employees or customers. The medium severity score reflects that while the vulnerability does not directly compromise system availability, the confidentiality and integrity of user interactions are at risk. Organizations with significant online donation traffic or e-commerce presence are particularly vulnerable to exploitation attempts that could lead to fraud or data breaches.

1. Monitor for plugin updates from Scott Paterson and apply patches promptly once available. 2. Until a patch is released, implement strict validation of redirect URLs in the plugin’s configuration or via custom code to ensure only trusted domains are allowed. 3. Employ web application firewalls (WAFs) with rules to detect and block suspicious redirect patterns associated with this vulnerability. 4. Educate users and donors about phishing risks, emphasizing caution when clicking donation-related links, especially those received via email or social media. 5. Use multi-factor authentication (MFA) on administrative accounts managing the donation platform to reduce risk from credential theft. 6. Conduct regular security audits of the website and plugins to identify and remediate similar vulnerabilities. 7. Consider temporarily disabling the plugin or replacing it with alternative donation solutions if patching is delayed and risk is high. 8. Implement Content Security Policy (CSP) headers to restrict navigation to trusted domains, mitigating the impact of open redirects.