← Back

CVE-2023-2407

nvd nist
Published: Jun 3, 2023Modified: Apr 8, 2026

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

The Event Registration Calendar By vcita plugin, versions up to and including 3.10.0, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected (2)

Vcita
2 products
Event Registration Calendar By Vcita
Online Payments Get Paid With Paypal, Square & Stripe
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Event Registration Calendar By Vcita
Up to 3.9.1
Online Payments Get Paid With Paypal, Square & Stripe
Up to 1.3.1

Related CWEs

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (9)

Source: security@wordfence.com
ExploitThird Party Advisory
Source: security@wordfence.com
Exploit
Source: security@wordfence.com
Exploit
Source: security@wordfence.com
Source: security@wordfence.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.