CVE-2023-25702: 
WordPress vulnerability analysis and mitigation

An authenticated (admin+) Stored Cross-site Scripting (XSS) vulnerability was discovered in the Fullworks Quick Paypal Payments WordPress plugin versions 5.7.25 and below. The vulnerability was reported on December 30, 2022, and was publicly disclosed on February 14, 2023 (Patchstack Database).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CVE-2023-25702. It received a CVSS v3.1 base score of 4.8 (Medium) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a slightly higher score of 5.9 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor with administrative privileges to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack Database).

The vulnerability was fixed in version 5.7.26 of the Quick Paypal Payments plugin. Users are advised to update to version 5.7.26 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack Database).