PT-2019-13908 · Woocommerce · Woocommerce Payu India Payment Gateway

Published

2019-08-29

Updated

2019-12-02

CVE-2019-14978

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions WooCommerce PayU India Payment Gateway plugin version 2.1.1

Description The issue allows purchaseQuantity=1 parameter tampering in the /payu/icpcheckout/ endpoint, enabling the purchase of an item for a lower price than intended.

Recommendations For WooCommerce PayU India Payment Gateway plugin version 2.1.1, consider disabling the /payu/icpcheckout/ endpoint until a patch is available to prevent parameter tampering. Avoid using the purchaseQuantity parameter in the affected endpoint until the issue is resolved.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2019-14978

Affected Products

Woocommerce Payu India Payment Gateway

PT-2019-13908 · Woocommerce · Woocommerce Payu India Payment Gateway

CVE-2019-14978

Weakness Enumeration

Related Identifiers

Affected Products

References · 4