logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Stripe Payments < 2.0.40 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The Stripe Payments WordPress plugin, version 2.0.39 and possibly below, was vulnerable to Stored Cross-Site Scripting (XSS) in the plugin's currency_code settings parameter.

The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability.

Affects Plugins

stripe-payments

Fixed in version 2.0.40

References

URL

https://plugins.trac.wordpress.org/changeset/2452252

URL

https://packetstormsecurity.com/files/160799/

ExploitDB

49354

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Park Won Seok

Submitter

Ryan

Verified

Yes

WPVDB ID

e4136273-ffd5-4588-a47b-21a6105c1bca

Timeline

Publicly Published

2021-01-05 (about 4 months ago)

Added

2021-01-08 (about 3 months ago)

Last Updated

2021-01-10 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin