CVE-2024-11895: Online Payments – Get Paid with PayPal, Square & Stripe <= 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
First published: Tue Feb 18 2025(Updated: )
The Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Online Payments Get Paid with PayPal, Square & Stripe | <3.30.0 | |
| PayPal, Square & Stripe | <=3.20.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/aab33299-f02d-44a1-9522-5309eed6fd38?source=cve
- https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/tags/3.10.0/core/shortcodes.php#L22
- https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/tags/3.10.0/core/shortcodes.php#L50
- https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/tags/3.10.0/core/shortcodes.php#L91
- https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/tags/3.10.0/core/shortcodes.php#L129
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3241650%40paypal-payment-button-by-vcita&new=3241650%40paypal-payment-button-by-vcita&sfp_email=&sfph_mail=
Frequently Asked Questions
What is the severity of CVE-2024-11895?
The severity of CVE-2024-11895 is classified as medium due to the potential for significant user data exposure through Stored Cross-Site Scripting.
How do I fix CVE-2024-11895?
To fix CVE-2024-11895, update the Online Payments – Get Paid with PayPal, Square & Stripe plugin to version 3.21.0 or later, which includes patches for the vulnerability.
What versions are affected by CVE-2024-11895?
CVE-2024-11895 affects all versions of the Online Payments – Get Paid with PayPal, Square & Stripe plugin up to and including version 3.20.0.
What type of vulnerability is CVE-2024-11895?
CVE-2024-11895 is a Stored Cross-Site Scripting (XSS) vulnerability that results from insufficient input sanitization in the plugin's shortcodes.
Who is the vendor for the vulnerable plugin CVE-2024-11895?
The vendor for the vulnerable plugin linked to CVE-2024-11895 is Online Payments.
- agent/weakness
- agent/references
- agent/title
- agent/first-publish-date
- agent/type
- agent/description
- agent/author
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/event
- agent/last-modified-date
- agent/severity
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup-request
- vendor/vcita
- canonical/online payments get paid with paypal, square & stripe
- vendor/online payments
- canonical/paypal, square & stripe