CVE-2024-6205

The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/7e2c5032-2917-418c-aee3-092bdb78a087/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:payplus:payplus_payment_gateway:*:*:*:*:*:wordpress:*:*

History

19 Jul 2024, 20:23

Type	Values Removed	Values Added
First Time		Payplus payplus Payment Gateway Payplus
CWE		CWE-89
CPE		cpe:2.3:a:payplus:payplus_payment_gateway::::::wordpress::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://wpscan.com/vulnerability/7e2c5032-2917-418c-aee3-092bdb78a087/ -~~	() https://wpscan.com/vulnerability/7e2c5032-2917-418c-aee3-092bdb78a087/ - Exploit, Third Party Advisory

19 Jul 2024, 13:01

Type	Values Removed	Values Added
Summary		(es) El complemento PayPlus Payment Gateway de WordPress anterior a 6.6.9 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL a través de una ruta API de WooCommerce disponible para usuarios no autenticados, lo que genera una vulnerabilidad de inyección SQL.

19 Jul 2024, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-19 06:15

Updated : 2024-08-01 14:00

NVD link : CVE-2024-6205

Mitre link : CVE-2024-6205

CVE.ORG link : CVE-2024-6205

JSON object : View

Products Affected

payplus

payplus_payment_gateway

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

9.8 /10