CVE-2021-39342

Published: Sep 29, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.

Affected (1)

Products: Credova: Financial

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Credova Financial	Before 1.4.9

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (4)

https://plugins.trac.wordpress.org/changeset/2606811/credova-financial/trunk/credova-financial.php

Source: security@wordfence.com

PatchThird Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39342

Source: security@wordfence.com

Third Party Advisory

https://plugins.trac.wordpress.org/changeset/2606811/credova-financial/trunk/credova-financial.php

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39342

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.