Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for WordPress Payments Plugin | GetPaid by AyeCode Ltd

    CVE-2021-24369 (GCVE-0-2021-24369)

    Vulnerability from nvd – Published: 2021-06-21 19:18 – Updated: 2024-08-03 19:28
    VLAI
    Title
    GetPaid < 2.3.4 - Authenticated Stored XSS
    Summary
    In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    AyeCode Ltd WordPress Payments Plugin | GetPaid Affected: 2.3.4 , < 2.3.4 (custom)
    Create a notification for this product.
    Credits
    Jörg Steinsträter
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.918Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WordPress Payments Plugin | GetPaid",
              "vendor": "AyeCode Ltd",
              "versions": [
                {
                  "lessThan": "2.3.4",
                  "status": "affected",
                  "version": "2.3.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "J\u00f6rg Steinstr\u00e4ter"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-21T19:18:18.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "GetPaid \u003c 2.3.4 - Authenticated Stored XSS",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24369",
              "STATE": "PUBLIC",
              "TITLE": "GetPaid \u003c 2.3.4 - Authenticated Stored XSS"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WordPress Payments Plugin | GetPaid",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.3.4",
                                "version_value": "2.3.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "AyeCode Ltd"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "J\u00f6rg Steinstr\u00e4ter"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24369",
        "datePublished": "2021-06-21T19:18:18.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.918Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24369 (GCVE-0-2021-24369)

    Vulnerability from cvelistv5 – Published: 2021-06-21 19:18 – Updated: 2024-08-03 19:28
    VLAI
    Title
    GetPaid < 2.3.4 - Authenticated Stored XSS
    Summary
    In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    AyeCode Ltd WordPress Payments Plugin | GetPaid Affected: 2.3.4 , < 2.3.4 (custom)
    Create a notification for this product.
    Credits
    Jörg Steinsträter
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.918Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WordPress Payments Plugin | GetPaid",
              "vendor": "AyeCode Ltd",
              "versions": [
                {
                  "lessThan": "2.3.4",
                  "status": "affected",
                  "version": "2.3.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "J\u00f6rg Steinstr\u00e4ter"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-21T19:18:18.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "GetPaid \u003c 2.3.4 - Authenticated Stored XSS",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24369",
              "STATE": "PUBLIC",
              "TITLE": "GetPaid \u003c 2.3.4 - Authenticated Stored XSS"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WordPress Payments Plugin | GetPaid",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.3.4",
                                "version_value": "2.3.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "AyeCode Ltd"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "J\u00f6rg Steinstr\u00e4ter"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/1d1a731b-78f7-4d97-b40d-80f66700edae"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24369",
        "datePublished": "2021-06-21T19:18:18.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.918Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }