CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52143 – WordPress WP Stripe Checkout Plugin <= 1.2.2.37 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-52143
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Naa986 WP Stripe Checkout.This issue affects WP Stripe Checkout: from n/a through 1.2.2.37. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en Naa986 WP Stripe Checkout. Este problema afecta a WP Stripe Checkout: desde n/a hasta 1.2.2.37. The WP Stripe Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.2.37 via the debug log file. This makes it possible for unauthenticated attackers to extract sensitive data including stripe checkout debug information. • https://patchstack.com/database/vulnerability/wp-stripe-checkout/wordpress-wp-stripe-checkout-plugin-1-2-2-37-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-532: Insertion of Sensitive Information into Log File CWE-921: Storage of Sensitive Data in a Mechanism without Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51689 – WordPress Easy Video Player Plugin <= 1.2.2.10 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51689
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in naa986 Easy Video Player allows Stored XSS.This issue affects Easy Video Player: from n/a through 1.2.2.10. La vulnerabilidad de neutralización incorrecta de la entrada durante de generación de páginas web ('Cross-site Scripting') en naa986 Easy Video Player permite XSS almacenado. Este problema afecta a Easy Video Player: desde n/a hasta 1.2.2.10. The Easy Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.2.2.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level acccess and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/easy-video-player/wordpress-easy-video-player-plugin-1-2-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3983 – Checkout for PayPal < 1.0.14 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3983
The Checkout for PayPal WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks El complemento de WordPress Checkout for PayPal anterior a 1.0.14 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como el de colaborador realizar ataques de cross site scripting almacenado. The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes ('item_description' and 'amount') within the ‘checkout_for_paypal_button_handler’ function in versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/0b48bbd6-7c77-44b8-a5d6-34e4a0747cf1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3937 – Easy Video Player < 1.2.2.3 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3937
The Easy Video Player WordPress plugin before 1.2.2.3 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. El complemento de WordPress Easy Video Player anterior a 1.2.2.3 no sanitiza y escapa a algunos parámetros, lo que podría permitir a los usuarios con un rol tan bajo como Colaborador realizar ataques de cross site scripting. The Easy Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes ('url', 'class', 'width', 'poster', and 'video_id') within the 'evp_embed_video_handler' function in versions up to, and including, 1.2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/ac7158c5-3d11-4865-b26f-41ab5a8120af • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3986 – WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3986
The WP Stripe Checkout WordPress plugin before 1.2.2.21 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks El complemento de WordPress WP Stripe Checkout anterior a 1.2.2.21 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como colaborador realizar ataques de cross site scripting almacenado. The WP Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shortcodes in the wp_stripe_checkout. This results in a vulnerability in the ‘wp_stripe_checkout_legacy_checkout_button_handler’ function in versions up to, and including, 1.2.2.20 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/ad8077a1-7cbe-4aa1-ad7d-acb41027ed0a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •