CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52143 – WordPress WP Stripe Checkout Plugin <= 1.2.2.37 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-52143
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Naa986 WP Stripe Checkout.This issue affects WP Stripe Checkout: from n/a through 1.2.2.37. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en Naa986 WP Stripe Checkout. Este problema afecta a WP Stripe Checkout: desde n/a hasta 1.2.2.37. The WP Stripe Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.2.37 via the debug log file. This makes it possible for unauthenticated attackers to extract sensitive data including stripe checkout debug information. • https://patchstack.com/database/vulnerability/wp-stripe-checkout/wordpress-wp-stripe-checkout-plugin-1-2-2-37-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-532: Insertion of Sensitive Information into Log File CWE-921: Storage of Sensitive Data in a Mechanism without Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3986 – WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3986
The WP Stripe Checkout WordPress plugin before 1.2.2.21 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks El complemento de WordPress WP Stripe Checkout anterior a 1.2.2.21 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como colaborador realizar ataques de cross site scripting almacenado. The WP Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shortcodes in the wp_stripe_checkout. This results in a vulnerability in the ‘wp_stripe_checkout_legacy_checkout_button_handler’ function in versions up to, and including, 1.2.2.20 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/ad8077a1-7cbe-4aa1-ad7d-acb41027ed0a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •