CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51918 – WordPress Pay With Stripe plugin <= 1.2.1 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-51918
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Freshlight Lab Pay With Stripe allows DOM-Based XSS.This issue affects Pay With Stripe: from n/a through 1.2.1. The Pay With Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/payments-stripe-gateway/wordpress-pay-with-stripe-plugin-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50459 – WordPress AidWP plugin <= 3.2.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-50459
Missing Authorization vulnerability in HM Plugin WordPress Stripe Donation and Payment Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Stripe Donation and Payment Plugin: from n/a through 3.2.3. La vulnerabilidad de autorización faltante en el complemento HM de WordPress Stripe Donation and Payment Plugin permite explotar los niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta al complemento HM de WordPress Stripe Donation and Payment Plugin: desde n/a hasta 3.2.3. The Accept Stripe Donation and Payments – AidWP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.3. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/vulnerability/wp-stripe-donation/wordpress-aidwp-plugin-3-2-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45401 – stripe-cli Path Traversal vulnerability
https://notcve.org/view.php?id=CVE-2024-45401
stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability. • CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43315 – WordPress Stripe Payments For WooCommerce plugin <= 1.9.1 - Insecure Direct Object References (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2024-43315
Authorization Bypass Through User-Controlled Key vulnerability in Checkout Plugins Stripe Payments For WooCommerce by Checkout.This issue affects Stripe Payments For WooCommerce by Checkout: from n/a through 1.9.1. The Stripe Payments For WooCommerce by Checkout Plugins plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.1 via the verify_intent() due to missing validation on the 'order' user controlled key. This makes it possible for unauthenticated attackers to access orders that do not belong to them. • https://patchstack.com/database/vulnerability/checkout-plugins-stripe-woo/wordpress-stripe-payments-for-woocommerce-plugin-1-9-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43316 – WordPress Stripe Payments For WooCommerce plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-43316
Cross-Site Request Forgery (CSRF) vulnerability in Checkout Plugins Stripe Payments For WooCommerce by Checkout.This issue affects Stripe Payments For WooCommerce by Checkout: from n/a through 1.9.1. The Stripe Payments For WooCommerce by Checkout plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.1. This is due to missing or incorrect nonce validation on the verify_intent() function. This makes it possible for unauthenticated attackers to confirm orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/checkout-plugins-stripe-woo/wordpress-stripe-payments-for-woocommerce-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •