CVE-2025-68602

MEDIUM
2025-12-24 [email protected]
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
MEDIUM 6.1

Tags

WordPress PHP Open Redirect

Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Accept Donations with PayPal & Stripe easy-paypal-donation allows Phishing.This issue affects Accept Donations with PayPal & Stripe: from n/a through <= 1.5.2.

Analysis

Open redirect vulnerability in Scott Paterson Accept Donations with PayPal & Stripe WordPress plugin (versions <= 1.5.2) enables attackers to craft malicious URLs that redirect users to untrusted sites, facilitating phishing attacks. The vulnerability requires user interaction (UI:R) but affects the plugin's core donation handling, allowing an unauthenticated attacker to chain this with social engineering to compromise user credentials or distribute malware through redirects to fraudulent payment pages.

Technical Context

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site / Open Redirect), a common web application flaw where user-controlled input is used in redirect operations without proper validation. The affected product is the 'easy-paypal-donation' WordPress plugin, which integrates PayPal and Stripe payment processing into WordPress sites. The plugin's donation form or callback mechanism fails to validate redirect URLs before redirecting users, allowing attackers to inject arbitrary URLs. This is particularly dangerous in the payment context because users may trust redirects originating from donation pages, making phishing attacks more credible.

Affected Products

Scott Paterson Accept Donations with PayPal & Stripe (easy-paypal-donation) WordPress plugin in all versions from initial release through 1.5.2 inclusive. This plugin is hosted in the official WordPress plugin repository and is likely installed on thousands of donation-focused WordPress sites.

Remediation

Update the Accept Donations with PayPal & Stripe plugin to a patched version released after 1.5.2 (exact patch version not specified in available data; consult the Patchstack advisory for the specific fixed release). Site administrators should immediately upgrade through the WordPress plugin dashboard. As an interim workaround pending patch availability, disable the plugin entirely if donation processing can be deferred, or restrict redirect functionality through .htaccess rules or WordPress security plugins that validate redirect URLs. Reference the vulnerability details at https://patchstack.com/database/Wordpress/Plugin/easy-paypal-donation/vulnerability/wordpress-accept-donations-with-paypal-plugin-1-5-1-open-redirection-vulnerability?_s_id=cve for confirmation of the patched version.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +1.4
CVSS: +30
POC: 0

Share

CVE-2025-68602 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy