CVE-2026-4072 is a stored cross-site scripting vulnerability in the WordPress PayPal Donation plugin (versions up to 1.01). The vulnerability occurs because the wordpress_paypal_donation_create() function uses extract(shortcode_atts(...)) to process shortcode attributes and then directly inserts these values into HTML attribute values without proper escaping. This allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code via shortcode attributes like 'amount', 'email', 'title', 'return_url', 'cancel_url', 'ccode', and 'image'. When other users access the page containing the injected shortcode, the malicious script executes in their browsers.

An attacker with Contributor-level access or above can inject persistent malicious scripts into pages using the vulnerable shortcode attributes. This can lead to the execution of arbitrary JavaScript in the context of users viewing the page, potentially allowing theft of cookies, session tokens, or other sensitive information. The vulnerability does not affect availability but impacts confidentiality and integrity. The CVSS vector indicates network attack vector, low attack complexity, privileges required, no user interaction, and scope change with low confidentiality and integrity impact and no availability impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only. Avoid using the vulnerable shortcode attributes or disable the WordPress PayPal Donation plugin if possible. Monitor for updates from the vendor or plugin author regarding patches or official mitigations.