WordPress Plugin Vulnerabilities

Credova_Financial < 1.4.9 - Sensitive Information Disclosure

Description

The plugin discloses a site’s associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled

Affects Plugins

Plugin icon
credova-financial
Fixed in 1.4.9

References

CVE
CVE-2021-39342
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39342

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Marvin Santos
Verified
No
WPVDB ID
9c8834fb-1134-4221-b97b-04d95c277a44

Timeline

Publicly Published
2021-09-29 (about 4 years ago)
Added
2021-09-29 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2024-11-26
Title
ProfilePress < 4.15.19 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2024-12-17
Title
Accept Authorize.NET Payments Using Contact Form 7 < 2.3 - Unauthenticated Information Exposure
Published
2025-11-09
Title
Follow My Blog Post < 2.4.0 - Unauthenticated Information Exposure
Published
2023-12-18
Title
BackWPup < 4.0.4 - Unauthenticated Backup Download
Published
2026-01-08
Title
NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure