CVE-2024-5447

Published Jun 21, 2024

Last updated 9 months ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-5447 is a vulnerability found in the PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin, specifically in versions up to 1.7. It's a Cross-Site Scripting (XSS) vulnerability, categorized as CWE-79. The vulnerability exists because the plugin doesn't properly sanitize and escape some of its settings. This allows high-privilege users, such as administrators, to inject malicious scripts into the website settings, leading to stored XSS attacks. These injected scripts can then be executed in the context of other users who visit the affected pages, potentially leading to data theft or other malicious activities.

Description
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Source
contact@wpscan.com
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
4.8
Impact score
2.7
Exploitability score
1.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-79

Social media

Hype score
Not currently trending

Configurations