1 results (0.003 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

The Checkout for PayPal WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks El complemento de WordPress Checkout for PayPal anterior a 1.0.14 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como el de colaborador realizar ataques de cross site scripting almacenado. The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes ('item_description' and 'amount') within the ‘checkout_for_paypal_button_handler’ function in versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.  • https://wpscan.com/vulnerability/0b48bbd6-7c77-44b8-a5d6-34e4a0747cf1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •