Marvin Santos

Name of the Vulnerable Software and Affected Versions: Credova Financial WordPress plugin versions up to, and including, 1.4.8 Description: The Credova Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. Recommendations: For versions up to, and including, 1.4.8, update to a version later than 1.4.8 to resolve the issue. As a temporary workaround, consider disabling the Credova Financing option on checkout pages until a patch is available. Restrict access to the AJAX action that discloses the Credova API account credentials to minimize the risk of exploitation.