CVE-2021-39347

Опубликовано: 04 окт. 2021

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.

Ссылки

https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php
Patch
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php
Patch
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:paymentplugins:stripe_for_woocommerce:*:*:*:*:*:wordpress:*:*

Версия от 3.0.0 (включая) до 3.3.9 (включая)

EPSS

Процентиль: 34%

0.00135

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

GHSA-jv5v-gch6-hq4m

github

больше 3 лет назад