CVE-2020-25750

Name of the Vulnerable Software and Affected Versions DotPlant2 versions prior to 2020-09-14

Description An issue was discovered in the Pay2PayPayment class in payment/Pay2PayPayment.php, where there is an XXE vulnerability in the checkResult() function. The user input ($ POST['xml']) is used for simplexml load string without sanitization. This issue only affects products that are no longer supported by the maintainer.

Recommendations For versions prior to 2020-09-14, as a temporary workaround, consider disabling the checkResult() function in the Pay2PayPayment class until a patch is available. Restrict access to the payment/Pay2PayPayment.php file to minimize the risk of exploitation. Avoid using the $ POST['xml'] input in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.