CVE Catalog

CVE-2021-47983

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Summary

The WordPress Plugin Stripe Payments version 2.0.39 contains a stored XSS vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.

Risk Assessment

This vulnerability could lead to session hijacking or data theft, posing a serious security threat to the site. It allows attackers to execute malicious code in the context of the administrator's browser.

Recommendation

It is recommended to update the Stripe Payments plugin to the latest version to mitigate this vulnerability. Additionally, conducting a security audit of plugins and monitoring logs for potential attacks is advisable.

Original NVD description (English source)

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS