What is the CVSS score of CVE-2025-68602?

CVE-2025-68602 has a CVSS 3.1 base score of 4.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. EPSS exploitation probability: 1.4%.

Is there a public PoC exploit available for CVE-2025-68602?

Yes, a public proof-of-concept exploit is available for CVE-2025-68602. Prioritise patching immediately. EPSS: 1.4%.

Open Redirect CVE-2025-68602

MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2025-12-24 audit@patchstack.com

Open Redirect

4.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.7 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

CVSS changed

Apr 23, 2026 - 15:43 NVD

6.1 (MEDIUM) 4.7 (MEDIUM)

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 24, 2025 - 13:16 nvd

MEDIUM 6.1

DescriptionCVE.org

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Accept Donations with PayPal & Stripe easy-paypal-donation allows Phishing.This issue affects Accept Donations with PayPal & Stripe: from n/a through <= 1.5.2.

AnalysisAI

Open redirect vulnerability in Scott Paterson Accept Donations with PayPal & Stripe WordPress plugin (versions <= 1.5.2) enables attackers to craft malicious URLs that redirect users to untrusted sites, facilitating phishing attacks. The vulnerability requires user interaction (UI:R) but affects the plugin's core donation handling, allowing an unauthenticated attacker to chain this with social engineering to compromise user credentials or distribute malware through redirects to fraudulent payment pages.

Technical ContextAI

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site / Open Redirect), a common web application flaw where user-controlled input is used in redirect operations without proper validation. The affected product is the 'easy-paypal-donation' WordPress plugin, which integrates PayPal and Stripe payment processing into WordPress sites. The plugin's donation form or callback mechanism fails to validate redirect URLs before redirecting users, allowing attackers to inject arbitrary URLs. This is particularly dangerous in the payment context because users may trust redirects originating from donation pages, making phishing attacks more credible.

Affected ProductsAI

Scott Paterson Accept Donations with PayPal & Stripe (easy-paypal-donation) WordPress plugin in all versions from initial release through 1.5.2 inclusive. This plugin is hosted in the official WordPress plugin repository and is likely installed on thousands of donation-focused WordPress sites.

RemediationAI

Update the Accept Donations with PayPal & Stripe plugin to a patched version released after 1.5.2 (exact patch version not specified in available data; consult the Patchstack advisory for the specific fixed release). Site administrators should immediately upgrade through the WordPress plugin dashboard. As an interim workaround pending patch availability, disable the plugin entirely if donation processing can be deferred, or restrict redirect functionality through .htaccess rules or WordPress security plugins that validate redirect URLs. Reference the vulnerability details at https://patchstack.com/database/Wordpress/Plugin/easy-paypal-donation/vulnerability/wordpress-accept-donations-with-paypal-plugin-1-5-1-open-redirection-vulnerability?_s_id=cve for confirmation of the patched version.