CVE-2023-2407 — MEDIUM (6.1)

Q: How severe is CVE-2023-2407?

CVE-2023-2407 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-2407?

Check the references section above for vendor advisories and patch information. Affected products include: Vcita Event Registration Calendar By Vcita, Vcita Online Payments - Get Paid With Paypal\, Square \& Stripe.

Vulnerability Description

The Event Registration Calendar By vcita plugin, versions up to and including 3.10.0, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Vcita	Event Registration Calendar By Vcita	<= 3.9.1
Vcita	Online Payments - Get Paid With Paypal\, Square \& Stripe	<= 1.3.1

Related Weaknesses (CWE)

CWE-352

References

https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcitaExploitThird Party Advisory
https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/Exploit
https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/Exploit
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
https://www.wordfence.com/threat-intel/vulnerabilities/id/207b40fa-2062-48d6-990Third Party Advisory
https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcitaExploitThird Party Advisory
https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/Exploit
https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/207b40fa-2062-48d6-990Third Party Advisory

FAQ

What is CVE-2023-2407?

CVE-2023-2407 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Event Registration Calendar By vcita plugin, versions up to and including 3.10.0, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Req...

How severe is CVE-2023-2407?

CVE-2023-2407 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-2407?

Check the references section above for vendor advisories and patch information. Affected products include: Vcita Event Registration Calendar By Vcita, Vcita Online Payments - Get Paid With Paypal\, Square \& Stripe.