
CVE-2024-30527 – WordPress WP Express Checkout plugin <= 2.3.7 - Price Manipulation vulnerability
https://notcve.org/view.php?id=CVE-2024-30527
29 Mar 2024 — Improper Validation of Specified Quantity in Input vulnerability in Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) allows Manipulating Hidden Fields.This issue affects WP Express Checkout (Accept PayPal Payments): from n/a through 2.3.7. Vulnerabilidad de validación incorrecta de la cantidad especificada en la entrada en Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) permite manipular campos ocultos. Este problema afecta a WP Express Checkout (Accept PayPal Payments): desde... • https://patchstack.com/database/vulnerability/wp-express-checkout/wordpress-wp-express-checkout-plugin-2-3-7-price-manipulation-vulnerability?_s_id=cve • CWE-348: Use of Less Trusted Source CWE-1284: Improper Validation of Specified Quantity in Input •

CVE-2023-1469 – WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]
https://notcve.org/view.php?id=CVE-2023-1469
17 Mar 2023 — The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This can potentially be exploited by lower-privileged users if the `Admin Dashboard Access Per... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2879453%40wp-express-checkout&new=2879453%40wp-express-checkout&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •