CVE-2026-4072 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress PayPal Donation plugin developed by tstachl, affecting all versions up to and including 1.01. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'donate' shortcode processing. The plugin uses the PHP function extract(shortcode_atts(...)) to handle shortcode attributes such as 'amount', 'email', 'title', 'return_url', 'cancel_url', 'ccode', and 'image'. These attributes are directly interpolated into HTML output inside single-quoted attribute values without proper escaping or sanitization. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages or posts that use the shortcode. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, or other attacks that compromise confidentiality and integrity. The vulnerability has a CVSS v3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and a scope change affecting confidentiality and integrity but not availability. No public exploits are currently known, but the vulnerability poses a significant risk in environments where untrusted contributors have posting rights. The root cause is the failure to properly sanitize and escape user input before embedding it in HTML attributes, a common mistake leading to stored XSS in web applications.

The primary impact of CVE-2026-4072 is the potential for stored Cross-Site Scripting attacks within WordPress sites using the vulnerable PayPal Donation plugin. Successful exploitation allows authenticated users with Contributor-level access or higher to inject malicious scripts that execute in the browsers of any visitors viewing the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement of website content, or distribution of malware. Since the vulnerability affects all versions up to 1.01 and is network exploitable, it can impact a wide range of WordPress sites that rely on this plugin for donation processing. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the attacker's privileges, potentially compromising site-wide confidentiality and integrity. Organizations with multiple contributors or open content submission policies are at higher risk. Although availability is not impacted, the reputational damage and potential data breaches resulting from such XSS attacks can be significant. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often target popular WordPress plugins.

To mitigate CVE-2026-4072, organizations should first check for and apply any available patches or updates from the plugin vendor once released. In the absence of an official patch, administrators can implement the following specific measures: 1) Disable or restrict the use of the 'donate' shortcode to trusted users only, limiting Contributor-level or higher access where possible. 2) Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode attribute inputs containing script tags or event handlers. 3) Manually sanitize and escape shortcode attributes by overriding the plugin's shortcode handler with a custom function that applies proper HTML attribute escaping (e.g., using esc_attr() in WordPress) before output. 4) Conduct regular security audits and content reviews to detect injected scripts or suspicious content in posts/pages using the shortcode. 5) Educate content contributors about safe input practices and the risks of injecting untrusted code. 6) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. These targeted mitigations go beyond generic advice by focusing on controlling shortcode usage, enhancing input validation, and leveraging WordPress-specific escaping functions to prevent script injection.