CVE-2024-5447

Published Jun 21, 2024

Last updated 10 months ago

WordPress

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-5447 is a vulnerability found in the PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin, specifically in versions up to 1.7. It's a Cross-Site Scripting (XSS) vulnerability, categorized as CWE-79. The vulnerability exists because the plugin doesn't properly sanitize and escape some of its settings. This allows high-privilege users, such as administrators, to inject malicious scripts into the website settings, leading to stored XSS attacks. These injected scripts can then be executed in the context of other users who visit the affected pages, potentially leading to data theft or other malicious activities.

Description: The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Source: contact@wpscan.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.8
Impact score: 2.7
Exploitability score: 1.7
Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mohsinrasool:paypal_pay_now\\,_buy_now\\,_donation_and_cart_buttons_shortcode:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A28078A9-0A0F-4191-8C1C-54BE39B0EF6C",
            "versionEndIncluding": "1.7"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]