WordPress Plugin Vulnerabilities

Stripe Payments < 2.0.40 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The Stripe Payments WordPress plugin, version 2.0.39 and possibly below, was vulnerable to Stored Cross-Site Scripting (XSS) in the plugin's currency_code settings parameter.

The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability.

Affects Plugins

Plugin icon
stripe-payments
Fixed in 2.0.40

References

Exploitdb
49354
URL
https://packetstormsecurity.com/files/#160799/
URL
https://plugins.trac.wordpress.org/changeset/2452252

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Park Won Seok
Submitter
Ryan
Verified
Yes
WPVDB ID
e4136273-ffd5-4588-a47b-21a6105c1bca

Timeline

Publicly Published
2021-01-05 (about 3 years ago)
Added
2021-01-08 (about 3 years ago)
Last Updated
2021-01-10 (about 3 years ago)

Other

Published
Title
Published
2015-05-06
Title
Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)
Published
2017-03-01
Title
Trust Form < 2.0.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2024-02-05
Title
Shariff Wrapper < 4.6.10 - Admin+ Stored XSS
Published
2024-03-25
Title
Podlove Podcast Publisher < 4.0.10 - Reflected Cross-Site Scripting
Published
2023-05-09
Title
Wholesale Suite < 2.1.5.1 - Cross-Site Request Forgery