← Zuruck zu CVEs

CVE-2021-39347

MEDIUM

4.3

Beschreibung

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.

CVE Details

CVSS v3.1 Bewertung4.3

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienLOW

BenutzerinteraktionNONE

Veroffentlicht10/4/2021

Zuletzt geandert11/21/2024

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

paymentplugins:stripe_for_woocommerce

Schwachen (CWE)

CWE-862

Referenzen

https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php(security@wordfence.com)

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347(security@wordfence.com)

https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php(af854a3a-2127-422b-91ae-364da2661108)

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347(af854a3a-2127-422b-91ae-364da2661108)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.