The Avishi WP PayPal Payment Button plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-7669. This vulnerability exists in all versions up to and including 2.0 due to missing or incorrect nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. Nonces are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Without proper nonce validation, attackers can craft malicious requests that, when executed by an authenticated site administrator (via clicking a link or visiting a malicious webpage), cause the plugin to update its settings or inject malicious web scripts. The attack does not require the attacker to be authenticated, but it does require user interaction from an administrator, making social engineering a key component of exploitation. The vulnerability impacts confidentiality and integrity by enabling unauthorized changes to payment button configurations and potential script injection, which could lead to further compromise or data leakage. The CVSS 3.1 score of 6.1 reflects a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change. Currently, no patches or fixes have been published, and no known exploits are reported in the wild. The vulnerability is assigned to the CWE-352 category, which covers CSRF issues. Organizations using this plugin should be aware of the risk of unauthorized configuration changes and potential injection of malicious content that could affect payment processing and site security.

The primary impact of this vulnerability is unauthorized modification of the Avishi WP PayPal Payment Button plugin settings and injection of malicious scripts. This can lead to compromised payment processing configurations, potentially redirecting payments or exposing sensitive transaction data. Malicious script injection could facilitate further attacks such as credential theft, session hijacking, or malware distribution to site visitors. Since the vulnerability requires an administrator to be tricked into clicking a crafted link, successful exploitation could undermine the trustworthiness and integrity of the affected WordPress site. Organizations relying on this plugin for PayPal payment integration risk financial fraud, reputational damage, and potential regulatory compliance issues if customer payment data is compromised. The scope of impact is limited to sites using this specific plugin, but given WordPress’s widespread use, the number of affected sites could be significant. The absence of availability impact means the site remains operational, but the integrity and confidentiality of payment-related data are at risk.

To mitigate this vulnerability, organizations should immediately audit their WordPress sites for the presence of the Avishi WP PayPal Payment Button plugin and verify the version in use. Until an official patch is released, administrators should restrict access to the WordPress admin panel to trusted networks and users only, minimizing exposure to social engineering attacks. Implementing Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the vulnerable plugin page can reduce risk. Educate administrators about the dangers of clicking unknown or unsolicited links, especially while logged into the WordPress admin interface. Monitor plugin updates closely and apply security patches as soon as they become available. Consider temporarily disabling or replacing the plugin with a more secure alternative if feasible. Additionally, review and harden WordPress security configurations, including enforcing multi-factor authentication for admin accounts and limiting plugin installation privileges. Regularly back up site data and configurations to enable recovery in case of compromise.