Wp Easypay
Monthly
Cross-site request forgery in the WP EasyPay WordPress plugin (versions through 4.4.0) enables remote attackers to perform unauthorized administrative actions by tricking an authenticated WordPress administrator into visiting a maliciously crafted page. Missing or insufficient nonce verification on one or more plugin endpoints allows the attacker's forged request to be processed as a legitimate action using the victim's active session. No public exploit code and no CISA KEV listing are present at time of analysis.
WP EasyPay plugin through version 4.3.0 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded data without user interaction. The vulnerability stems from improper handling of sensitive data during transmission, classified as an information disclosure issue with a CVSS score of 5.3 (network-accessible, low complexity). No active exploitation has been confirmed in CISA KEV at the time of analysis.
WP EasyPay versions up to 4.2.11 contain an authorization bypass that allows authenticated users to modify plugin settings and functionality beyond their intended access level. An attacker with valid credentials could exploit improperly configured access controls to perform unauthorized actions such as disabling security features or altering payment processing configurations. No patch is currently available for this vulnerability.
The WP EasyPay - Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The WP EasyPay - Square for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Cross-Site Request Forgery (CSRF) vulnerability in WP Easy Pay WP EasyPay - Square for WordPress plugin <= 4.1 versions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site request forgery in the WP EasyPay WordPress plugin (versions through 4.4.0) enables remote attackers to perform unauthorized administrative actions by tricking an authenticated WordPress administrator into visiting a maliciously crafted page. Missing or insufficient nonce verification on one or more plugin endpoints allows the attacker's forged request to be processed as a legitimate action using the victim's active session. No public exploit code and no CISA KEV listing are present at time of analysis.
WP EasyPay plugin through version 4.3.0 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded data without user interaction. The vulnerability stems from improper handling of sensitive data during transmission, classified as an information disclosure issue with a CVSS score of 5.3 (network-accessible, low complexity). No active exploitation has been confirmed in CISA KEV at the time of analysis.
WP EasyPay versions up to 4.2.11 contain an authorization bypass that allows authenticated users to modify plugin settings and functionality beyond their intended access level. An attacker with valid credentials could exploit improperly configured access controls to perform unauthorized actions such as disabling security features or altering payment processing configurations. No patch is currently available for this vulnerability.
The WP EasyPay - Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The WP EasyPay - Square for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Cross-Site Request Forgery (CSRF) vulnerability in WP Easy Pay WP EasyPay - Square for WordPress plugin <= 4.1 versions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.