CVE-2024-30527 – WordPress WP Express Checkout plugin <= 2.3.7 - Price Manipulation vulnerability
https://notcve.org/view.php?id=CVE-2024-30527
Improper Validation of Specified Quantity in Input vulnerability in Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) allows Manipulating Hidden Fields.This issue affects WP Express Checkout (Accept PayPal Payments): from n/a through 2.3.7. Vulnerabilidad de validación incorrecta de la cantidad especificada en la entrada en Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) permite manipular campos ocultos. Este problema afecta a WP Express Checkout (Accept PayPal Payments): desde n/a hasta 2.3.7. The WP Express Checkout (Accept PayPal Payments) plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 2.3.7. This is due to insufficient validation on the pricing data being passed to the server. • https://patchstack.com/database/vulnerability/wp-express-checkout/wordpress-wp-express-checkout-plugin-2-3-7-price-manipulation-vulnerability?_s_id=cve • CWE-348: Use of Less Trusted Source CWE-1284: Improper Validation of Specified Quantity in Input •
CVE-2023-1469 – WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]
https://notcve.org/view.php?id=CVE-2023-1469
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This can potentially be exploited by lower-privileged users if the `Admin Dashboard Access Permission` setting it set for those users to access the dashboard. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2879453%40wp-express-checkout&new=2879453%40wp-express-checkout&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/b35ee801-f04d-4b22-8238-053b02a6ee0c?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •