CVE-2023-2406: XSS
First published: Sat Jun 03 2023(Updated: )
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vcita CRM and Lead Management | <=3.9.1 | |
| Online Payments Get Paid with PayPal, Square & Stripe | <=1.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1ab05954-9999-43ff-8e3c-a987e2da1956?source=cve
- https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita
- https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55
- https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php
Frequently Asked Questions
What is CVE-2023-2406?
CVE-2023-2406 is a vulnerability in the Event Registration Calendar By vcita and Online Payments – Get Paid with PayPal, Square & Stripe plugins for WordPress that allows for Stored Cross-Site Scripting.
What is the severity of CVE-2023-2406?
The severity of CVE-2023-2406 is medium with a CVSS score of 5.4.
How does CVE-2023-2406 occur?
CVE-2023-2406 occurs due to insufficient input validation in the 'email' parameter of the affected plugins.
Which versions of the plugins are affected by CVE-2023-2406?
Versions up to and including 3.9.1 of the Event Registration Calendar By vcita plugin and versions up to and including 1.3.1 of the Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress are affected by CVE-2023-2406.
How can CVE-2023-2406 be fixed?
Update the Event Registration Calendar By vcita plugin to version 3.9.2 or later, and update the Online Payments – Get Paid with PayPal, Square & Stripe plugin to version 1.3.2 or later to fix CVE-2023-2406.
- collector/nvd-latest
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/vcita
- canonical/vcita crm and lead management
- version/vcita crm and lead management/3.9.1
- canonical/online payments get paid with paypal, square & stripe
- version/online payments get paid with paypal, square & stripe/1.3.1