CVE-2025-7669
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-19

Last updated on: 2025-07-22

Assigner: Wordfence

Description
The Avishi WP PayPal Payment Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-19
Last Modified
2025-07-22
Generated
2026-05-27
AI Q&A
2025-07-19
EPSS Evaluated
2026-05-25
NVD
CVE-2025-7669
EUVD
EUVD-2025-21942
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
avishika avishi_wp_paypal_payment_button *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Avishi WP PayPal Payment Button WordPress plugin versions up to 2.0. It occurs because the plugin's 'avishi-wp-paypal-payment-button/index.php' page lacks proper nonce validation, allowing attackers to trick a site administrator into performing unintended actions, such as updating settings or injecting malicious scripts, by sending forged requests.


How can this vulnerability impact me? :

The vulnerability can allow unauthenticated attackers to manipulate the plugin's settings or inject malicious web scripts if they can trick a site administrator into clicking a malicious link. This can lead to compromised site integrity, potential unauthorized changes, and possible injection of harmful code affecting site visitors.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately disable or uninstall the Avishi WP PayPal Payment Button plugin if it is installed on your WordPress site, as the plugin has been temporarily closed and is unavailable for download pending a full review. Additionally, avoid clicking on suspicious links that could trigger forged requests, and ensure that site administrators are aware of the risk of Cross-Site Request Forgery attacks related to this plugin. Monitor for plugin updates or patches from the developers before re-enabling it. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart