Lucene search

[email protected]NVD:CVE-2024-0619

HistoryJul 11, 2024 - 4:15 a.m.

CVE-2024-0619

2024-07-1104:15:03

CWE-862

[email protected]

web.nvd.nist.gov

cve-2024-0619

payflex payment gateway

wordpress

unauthorized modification

capability check

payment_callback

unauthenticated attackers

revenue loss

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

17.3%

JSON

The Payflex Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the payment_callback() function in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to update the status of orders, which can potentially lead to revenue loss.

Affected configurations

Nvd

Node

payflexpayment_gatewayRange≤2.5.0wordpress

VendorProductVersionCPE
payflexpayment_gateway*cpe:2.3:a:payflex:payment_gateway:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
payflex	payment_gateway	*	cpe:2.3:a:payflex:payment_gateway::::::wordpress::*

References

plugins.trac.wordpress.org/browser/payflex-payment-gateway/trunk/partpay.php#L751

www.wordfence.com/threat-intel/vulnerabilities/id/9f740cfa-7163-4634-9705-0e01ee571a11?source=cve

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

17.3%

JSON

Related for NVD:CVE-2024-0619

vulnrichment1 cve1 cvelist1 wordfence1