CVE-2025-47517: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Scott Paterson's Accept Donations with PayPal WordPress plugin, affecting versions through 1.4.5. The vulnerability was disclosed on May 7, 2025, and was assigned CVE-2025-47517. The issue received a CVSS v3.1 base score of 7.1 (HIGH), indicating significant security implications (Wiz Report, NVD).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and allows for Stored XSS attacks. The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts to confidentiality, integrity, and availability (NVD, Wiz Report).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. This CSRF vulnerability, combined with Stored XSS capabilities, presents potential risks to website administrators and users (Patchstack).

The vulnerability has been fixed in version 1.5 of the Accept Donations with PayPal plugin. Users are advised to update to version 1.5 or later to remove the vulnerability (Patchstack).