Headline
CVE-2021-39342: Changeset 2606811 for credova-financial/trunk/credova-financial.php – WordPress Plugin Repository
The Credova_Financial WordPress plugin discloses a site’s associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.
credova-financial/trunk/credova-financial.php
r2590899
r2606811
6
6
\* Author: Credova
7
7
\* Author URI: https://credova.com/
8
\* Version: 1.4.8
8
\* Version: 1.4.9
9
9
\* Requires at least: 5.0.0
10
10
\* Tested up to: 5.8
…
…
22
22
23
23
define('BASE\_URL', get\_bloginfo('url'));
24
define('WC\_GATEWAY\_CREDOVA\_VERSION', '1.4.8');
24
define('WC\_GATEWAY\_CREDOVA\_VERSION', '1.4.9');
25
25
26
26
function credova\_install()
…
…
150
150
if ($credova\_enabled == "yes") {
151
151
152
$return\_string = '<p class="credova-button" data-amount="' . esc\_html( $amount ) . '" data-type="popup"></p>';
152
$return\_string = '<p class="credova-button" data-amount="' . esc\_html($amount) . '" data-type="popup"></p>';
153
153
$return\_string .= '<script src="https://plugin.credova.com/plugin.min.js"></script><script>';
154
154
…
…
201
201
{
202
202
wp\_enqueue\_script('woocommerce\_product\_credova', plugins\_url('assets/js/product\_credova.js', \_\_FILE\_\_), array('jquery'), false, true);
203
$credova\_details = get\_option('woocommerce\_credova\_settings');
204
$credova\_details = array\_intersect\_key( $credova\_details , array\_flip( \['api\_username', 'enabled', 'testmode', 'aslowaslist', 'min\_finance\_amount', 'max\_finance\_amount', 'flow\_type', 'popup\_type'\] ) );
203
205
wp\_localize\_script('woocommerce\_product\_credova', 'product\_credova\_params', array(
204
'credova\_details' => get\_option('woocommerce\_credova\_settings'),
206
'credova\_details' => $credova\_details,
205
207
));
206
208
wp\_localize\_script('woocommerce\_product\_credova', 'myAjax', array('ajaxurl' => admin\_url('admin-ajax.php')));
…
…
1132
1134
function aslowas() {
1133
1135
var final\_price = <?php echo $woocommerce->cart->total; ?>;
1134
var username = "<?php echo $api\_username; ?>";
1135
var password = "<?php echo $api\_password; ?>";
1136
var testmode = "<?php echo $testmode; ?>";
1137
1136
if(final\_price >= <?=$min\_finance\_amount;?> && final\_price <= <?=$max\_finance\_amount;?>){
1138
1137
…
…
1140
1139
1141
1140
var ajaxurl = '<?php echo admin\_url('admin-ajax.php'); ?>';
1142
jQuery.post(ajaxurl,{action:"credova\_as\_low\_as",final\_price:final\_price,username:username,password:password,testmode:testmode},function(e){var a=JSON.parse(e);a.errors?$credova("div#as-low-as-more-info-disclaimer").length>=0&&($credova("div#as-low-as-more-info-disclaimer").text(a.errors),$credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova(".checkout-credova-slide").slideDown("slow")):$credova("h3#lowest-credova-price").length>=0&&($credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova("span#lowest-credova-price-default").text(a.minMonthlyPayment),$credova(".credova-financing-button").html('<a href="javascript:applicationProcess()" class="apply-credova-checkout" style="background: #337ab7; padding: 11px 33px; color: #fff; border-radius: 2px; font-size: 20px; text-transform: uppercase; cursor: pointer; text-decoration: none;">Continue with Credova</a>'),$credova(".checkout-credova-slide").slideDown("slow"),$credova("#payment-please-wait").css("display","none"),$credova("#payment-buttons-container").css("opacity","1"))});
1141
jQuery.post(ajaxurl,{action:"credova\_as\_low\_as",final\_price:final\_price},function(e){var a=JSON.parse(e);a.errors?$credova("div#as-low-as-more-info-disclaimer").length>=0&&($credova("div#as-low-as-more-info-disclaimer").text(a.errors),$credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova(".checkout-credova-slide").slideDown("slow")):$credova("h3#lowest-credova-price").length>=0&&($credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova("span#lowest-credova-price-default").text(a.minMonthlyPayment),$credova(".credova-financing-button").html('<a href="javascript:applicationProcess()" class="apply-credova-checkout" style="background: #337ab7; padding: 11px 33px; color: #fff; border-radius: 2px; font-size: 20px; text-transform: uppercase; cursor: pointer; text-decoration: none;">Continue with Credova</a>'),$credova(".checkout-credova-slide").slideDown("slow"),$credova("#payment-please-wait").css("display","none"),$credova("#payment-buttons-container").css("opacity","1"))});
1143
1142
}else{
1144
1143
$credova("div#as-low-as-more-info-disclaimer").text('No Finance Available. Finance available Only if Total cart price is less than 5000.');
…
…
1152
1151
function aslowas() {
1153
1152
var final\_price = <?php echo $woocommerce->cart->total; ?>;
1154
var username = "<?php echo $api\_username; ?>";
1155
var password = "<?php echo $api\_password; ?>";
1156
var testmode = "<?php echo $testmode; ?>";
1157
1153
if(final\_price >= <?=$min\_finance\_amount;?> && final\_price <= <?=$max\_finance\_amount;?>){
1158
1154
…
…
1160
1156
1161
1157
var ajaxurl = '<?php echo admin\_url('admin-ajax.php'); ?>';
1162
jQuery.post(ajaxurl,{action:"credova\_as\_low\_as",final\_price:final\_price,username:username,password:password,testmode:testmode},function(e){var a=JSON.parse(e);a.errors?$credova("div#as-low-as-more-info-disclaimer").length>=0&&($credova("div#as-low-as-more-info-disclaimer").text(a.errors),$credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova(".checkout-credova-slide").slideDown("slow")):$credova("h3#lowest-credova-price").length>=0&&($credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova("span#lowest-credova-price-default").text(a.minMonthlyPayment))});
1158
jQuery.post(ajaxurl,{action:"credova\_as\_low\_as",final\_price:final\_price},function(e){var a=JSON.parse(e);a.errors?$credova("div#as-low-as-more-info-disclaimer").length>=0&&($credova("div#as-low-as-more-info-disclaimer").text(a.errors),$credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova(".checkout-credova-slide").slideDown("slow")):$credova("h3#lowest-credova-price").length>=0&&($credova("span#lowest-credova-price").text(a.minMonthlyPayment),$credova("span#lowest-credova-price-default").text(a.minMonthlyPayment))});
1163
1159
}else{
1164
1160
$credova("div#as-low-as-more-info-disclaimer").text('No Finance Available. Finance available Only if Total cart price is less than 5000.');
…
…
1803
1799
function credova\_as\_low\_as()
1804
1800
{
1801
1802
$credova\_details = get\_option('woocommerce\_credova\_settings');
1803
1804
$testmode = ($credova\_details\['testmode'\] == 'yes') ? 1 : 0;
1805
$username = $credova\_details\['api\_username'\];
1806
$password = $credova\_details\['api\_password'\];
1805
1807
$finalprice = sanitize\_text\_field($\_POST\['final\_price'\]);
1806
$username = sanitize\_text\_field($\_POST\['username'\]);
1807
$password = sanitize\_text\_field($\_POST\['password'\]);
1808
$testmode = intval($\_POST\['testmode'\]);
1809
$respp = array();
1810
$client = new CredovaClient($username, $password, $testmode);
1808
1809
$respp = array();
1810
$client = new CredovaClient($username, $password, $testmode);
1811
1811
$client->authenticate();
1812
1812
try {Related news
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Media Image URL value that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image URL' value found in the Media block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Video Link values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post/page 'Title' value in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.
The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
The Mitsol Social Post Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.10 due to insufficient input sanitization and output escaping on the application id parameters. This makes it possible for authenticated (admin+) attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html is disabled.
The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue mostly affects sites where unfiltered_html has been disabled for administrators and on multi-site installations where unfiltered_html is disabled for administrators.
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.6.
The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability.
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.
A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.