CVE-2024-3649
Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation
The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Produtos afetados
smub · WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & MoreQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://plugins.trac.wordpress.org/changeset/3075634https://plugins.trac.wordpress.org/changeset/3075634/wpforms-lite/trunk/assets/js/integrations/stripe/wpforms-stripe-payment-element.jshttps://www.wordfence.com/threat-intel/vulnerabilities/id/68a509ae-9943-4b9a-8ede-2b5732e96e6d?source=cve