Accept Stripe Donation – AidWP Security Vulnerabilities

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023)

Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....

CVE-2023-24405

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3...

CVE-2023-24405

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3...

CVE-2023-24405 WordPress Contact Form 7 – PayPal & Stripe Add-on Plugin <= 1.9.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin &lt;= 1.9.3...

First liquidity provider can break minting of shares

Lines of code Vulnerability details Impact The attack vector and impact is that users may not receive shares in exchange for their deposits if the total asset amount has been manipulated through a large “donation”. Proof of Concept The attack vector and impact is that users may not receive shares.....

TWAP can be easily manipulated by attacker through the sync() function, causing loss of funds

Lines of code Vulnerability details Description Please refer to the issue titled Implementation of Well shift() function allows attackers to completely manipulate the oracles for relevant introduction and context. The safety of the TWAP relies on calling the observation function (update()) with...

CVE-2023-36817

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

CVE-2023-36817

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

CVE-2023-36817

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

Code injection

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

CVE-2023-36817 The King's Temple Church website Leaked Stripe API Key in Public Code Repository

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

WooCommerce Stripe Payment Gateway Plugin for WordPress < 7.4.1 Insecure Direct Object Reference

The WordPress WooCommerce Stripe Payment Gateway Plugin installed on the remote host is affected by an Insecure Direct Object Reference leading to Personally Identifiable Information Disclosure. Note that the scanner has not tested for these issues but has instead relied only on the application's.....

WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update

The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of H1 PoC Affected functions: create_payment_intent_ajax update_payment_intent_ajax save_upe_appearance_ajax update_order_status_ajax...

WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update

The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of...

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)

Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

WordPress WooCommerce Stripe Payment Gateway Plugin < 7.4.1 IDOR Vulnerability

The WordPress...

M-10 Unmitigated

Lines of code Vulnerability details Mitigation of M-10: Issue NOT mitigated Mitigated issue M-10: First 1 wei deposit can produce lose of user xETH funds in wxETH Fix: code-423n4/2023-05-xeth@fbb2972 The issue is similar to the standard inflation attack, except that instead of the attacker's...

CVE-2023-25450

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

CVE-2023-25450

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

CVE-2023-25450 WordPress GiveWP Plugin <= 2.25.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin

A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information. The flaw, tracked as CVE-2023-34000, impacts versions 7.4.0 and below. It was addressed by the plugin maintainers in version 7.4.1, which...

CVE-2023-34000

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin &lt;= 7.4.0...

CVE-2023-34000

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin &lt;= 7.4.0...

Design/Logic Flaw

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin &lt;= 7.4.0...

CVE-2023-34000 WordPress WooCommerce Stripe Payment Gateway Plugin <= 7.4.0 is vulnerable to Insecure Direct Object References (IDOR)

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin &lt;= 7.4.0...

WooCommerce Stripe Payment Gateway < 7.4.1 - Unauthenticated PII Disclosure via IDOR

The plugin does not ensure that the order details to be displayed belongs to the user making the request, allows unauthenticated users to access sensitive information about the reorder details such as first/last names, email and address PoC As unauthenticated, see the source of...

WooCommerce Stripe Payment Gateway < 7.4.1 - Unauthenticated PII Disclosure via IDOR

The plugin does not ensure that the order details to be displayed belongs to the user making the request, allows unauthenticated users to access sensitive information about the reorder details such as first/last names, email and...

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023)

Last week, there were 116 vulnerabilities disclosed in 88 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 35 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

How to Configure a Custom Text Banner for the Veeam Backup & Replication Console

This article documents enabling and configuring the "Classified Stripe," a feature that can be configured to prominently display a banner in all Veeam Backup & Replication Consoles that connect to the Veeam Backup Server, including remote...

CVE-2022-4950

Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a...

CVE-2023-2406

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....

CVE-2023-2407

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....

CVE-2023-2406

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....

CVE-2023-2407

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....

Cross site scripting

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....

Cross site request forgery (csrf)

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....

CVE-2023-2407

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....

CVE-2023-2406

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....

Stripe: The `stripe/veneur` GitHub repository links to a domain `veneur.org`, which is not under stripe's control

Initially reported at https://github.com/stripe/veneur/issues/1058. Since that report, the repository's sidebar has been updated to no longer link to the uncontrolled domain. Many of the 179 forks of this repository still contain the link to the uncontrolled domain. Summary: The...

ChatGPT: Cybersecurity friend or foe?

If you haven't heard about ChatGPT yet, perhaps you've just been thawed from cryogenic slumber or returned from six months off the grid. ChatGPT--the much-hyped, artificial intelligence (AI) chatbot that provides human-like responses from an enormous knowledge base--has been embraced practically...

Malicious code in stripe-terminal-react-native (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (0e3b17da38297fec9219b0316809efc9980ec6945104c9cada84571ffbfb2192) The OpenSSF Package Analysis project identified 'stripe-terminal-react-native' @ 999.99.99 (npm) as malicious. It is considered malicious because:.....

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)

Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities.....

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)

Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 27 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....

CVE-2022-47441

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.10...

CVE-2022-47441

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.10...

Cross site scripting

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.10...

CVE-2022-47441 WordPress Charitable Plugin <= 1.7.0.10 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.10...

Malicious code in stripe-deep-dup-tree (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (29790a4dda8ea513434302f82a02b4ef9cb90fa0b9e63de804082d284c8cb989) The OpenSSF Package Analysis project identified 'stripe-deep-dup-tree' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The...