The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This can potentially be exploited by lower-privileged users if the `Admin Dashboard Access Permission` setting it set for those users to access the dashboard.
References
Configurations
History
07 Nov 2023, 04:03
Type | Values Removed | Values Added |
---|---|---|
CWE |
Information
Published : 2023-03-17 13:15
Updated : 2024-02-28 19:51
NVD link : CVE-2023-1469
Mitre link : CVE-2023-1469
CVE.ORG link : CVE-2023-1469
JSON object : View
Products Affected
tipsandtricks-hq
- wp_express_checkout
CWE
No CWE.