cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches foreasy-paypal-shopping-cart easy-paypal-shopping-cart

Direction: ascending
Jun 07, 2024

Easy PayPal Shopping Cart # CVE-2023-47239

CVE, Research URL

CVE-2023-47239

Home page URL

Security reports for Easy PayPal Shopping Cart

Application

Easy PayPal Shopping Cart

Date
Nov 17, 2023
Research Description
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Scott Paterson Easy PayPal Shopping Cart plugin <= 1.1.10 versions.
Affected versions
max 1.1.11.
Status
vulnerable

Easy PayPal Shopping Cart # f7f554a34a82880b4ecbd6cef96968d88e3e5ae8

CVE, Research URL

f7f554a34a82880b4ecbd6cef96968d88e3e5ae8

Home page URL

Security reports for Easy PayPal Shopping Cart

Application

Easy PayPal Shopping Cart

Date
May 25, 2022
Research Description
Easy PayPal Shopping Cart [easy-paypal-shopping-cart] < 1.1.10 Easy PayPal Shopping Cart <= 1.1.9 - Cross-Site Request Forgery to Cross-Site Scripting The Easy PayPal Shopping Cart for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing nonce validation on the wpepsc_plugin_options function. This makes it possible for unauthenticated attackers to modify the plugins setting and add malicious web scripts to the settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.1.10.
Status
vulnerable
Jun 16, 2026

Easy PayPal Shopping Cart # d9c154a32db8150cd5b35b089c8962452eb8b232

CVE, Research URL

d9c154a32db8150cd5b35b089c8962452eb8b232

Home page URL

Security reports for Easy PayPal Shopping Cart

Application

Easy PayPal Shopping Cart

Date
Nov 03, 2023
Research Description
Easy PayPal Shopping Cart [easy-paypal-shopping-cart] < 1.1.11 Easy PayPal Shopping Cart <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode The Easy PayPal Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level and above permissions, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.1.11.
Status
vulnerable