CVE-2023-27460 – WordPress CP Contact Form with PayPal plugin <= 1.3.34 - Missing Authorization Leading To Feedback Submission vulnerability
https://notcve.org/view.php?id=CVE-2023-27460
Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34. Vulnerabilidad de autorización faltante en CodePeople, paypaldev CP Contact Form with Paypal permite el uso indebido de la funcionalidad. Este problema afecta a CP Contact Form with Paypal: desde n/a hasta 1.3.34. The CP Contact Form with Paypal plugin for WordPress is vulnerable to missing authorization on the 'cpcfwpp_feedback' function in versions up to, and including, 1.3.34. This allows authenticated attackers, with subscriber-level capabilities or above, to submit feedback to the plugin developers, which is intended to be a functionality reserved for administrators. • https://patchstack.com/database/vulnerability/cp-contact-form-with-paypal/wordpress-cp-contact-form-with-paypal-plugin-1-3-34-missing-authorization-leading-to-feedback-submission-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2023-23785 – WordPress Exquisite PayPal Donation Plugin <= v2.0.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23785
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DgCult Exquisite PayPal Donation plugin <= v2.0.0 versions. The Exquisite PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/exquisite-paypal-donation/wordpress-exquisite-paypal-donation-plugin-v2-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25714 – Quick Paypal Payments <= 5.7.25 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-25714
The Quick Paypal Payments plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and nonce check on the 'download_logs' function in versions up to, and including, 5.7.25. This allows unauthenticated attackers to export and delete payment messages and modify payment message options. • CWE-862: Missing Authorization •
CVE-2023-25026 – PayPal Brasil para WooCommerce <= 1.4.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-25026
The PayPal Brasil para WooCommerce Plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on multiple functions using the WooCommerce API. This makes it possible for unauthenticated attackers to process checkouts and billing agreements via a forged request granted they can trick another site user into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-0535 – Donation Block For PayPal < 2.1.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0535
The Donation Block For PayPal WordPress plugin before 2.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Donation Block For PayPal for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/8c50321a-dba8-4379-9b9c-4c349e44b2ed • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •