CVE-2025-57891: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress Recurring PayPal Donations plugin, affecting versions up to and including 1.8. The vulnerability was discovered by Nabil Irawan and was disclosed on August 22, 2025, with CVE identifier CVE-2025-57891. This security issue specifically impacts the wpecommerce Recurring PayPal Donations plugin and primarily affects multi-site installations and installations where unfilteredhtml has been disabled (Rapid7, [Patchstack](https://patchstack.com/database/wordpress/plugin/recurring-donation/vulnerability/wordpress-recurring-paypal-donations-plugin-1-8-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (NVD, Patchstack).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. The impact is particularly significant for multi-site installations and installations where unfiltered_html has been disabled (Rapid7).

The vulnerability has been fixed in version 1.9 of the Recurring PayPal Donations plugin. Users are advised to update to version 1.9 or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).