CVE-2024-5861

WP Easy Pay (Free) <= 4.2.3 - Missing Authorization to Unauthenticated Service Disconnection

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions up to, and including, 4.2.3. This makes it possible for unauthenticated attackers to disconnect square.

El complemento WP EasyPay – Square para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función wpep_square_disconnect() en todas las versiones hasta la 4.2.3 incluida. Esto hace posible que atacantes no autenticados desconecten el cuadrado.

*Credits: Lucio Sá

CVSS Scores

Wordfencev3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-11 CVE Reserved
2024-07-23 CVE Published
2024-07-24 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (4)

URL	Tag	Source
https://plugins.trac.wordpress.org/browser/wp-easy-pay/trunk/modules/payments/square-authorization.php#L199
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3106655%40wp-easy-pay&new=3106655%40wp-easy-pay&sfp_email=&sfph_mail=#file1
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3122946%40wp-easy-pay&new=3122946%40wp-easy-pay&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/446d458e-8b42-434e-a190-0af37a7d3afb?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wpexpertsio Search vendor "Wpexpertsio"		WP EasyPay – Square For WordPress Search vendor "Wpexpertsio" for product "WP EasyPay – Square For WordPress"				<= 4.2.3 Search vendor "Wpexpertsio" for product "WP EasyPay – Square For WordPress" and version " <= 4.2.3"		en		Affected