CVE-2024-13728

Published Feb 23, 2025

Last updated 5 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-13728 is a cross-site scripting (XSS) vulnerability found in the Scott Paterson Accept Donations with PayPal & Stripe Plugin for WordPress, specifically versions prior to 1.4.4. The vulnerability stems from improper handling of the "rf" parameter, allowing attackers to inject malicious scripts. These scripts can then be executed in the browsers of unsuspecting users who visit the affected website. The vulnerability was publicly disclosed on January 24, 2025, and further details are available from Wordfence. Users of the plugin are strongly encouraged to update to version 1.4.4 or later to mitigate the risk associated with this vulnerability. Cross-site scripting vulnerabilities can have various consequences, including session hijacking, data theft, and redirection to malicious websites.

Description: The Accept Donations with PayPal & Stripe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the rf parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source: security@wordfence.com
NVD status: Received

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

security@wordfence.com: CWE-79

Hype score: Not currently trending

Overview

AI description

Risk scores

CVSS 3.1

Weaknesses

Social media

References