WordPress Plugin Vulnerabilities

WP Express Checkout (Accept PayPal Payments) < 2.3.8 - Unauthenticated Price Manipulation

Description

The WP Express Checkout (Accept PayPal Payments) plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 2.3.7. This is due to insufficient validation on the pricing data being passed to the server. This makes it possible for unauthenticated attackers to modify the price of bookings.

Affects Plugins

Plugin icon
wp-express-checkout
Fixed in 2.3.8

References

CVE
CVE-2024-30527
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/42cd1b53-400f-4933-b3cc-2fd9079e241c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Xinzhi Luo
Verified
No
WPVDB ID
7a14582b-6ebd-4a3f-bcad-1d847ff778dc

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-04-04 (about 2 years ago)

Other

Published
Title
Published
2025-08-11
Title
UiCore Elements < 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Read
Published
2025-02-03
Title
Embed RSS <= 3.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2023-12-25
Title
Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update
Published
2025-07-04
Title
CF7 7 Mailchimp Add-on < 2.4 - Missing Authorization
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Template Kit Import