CVE-2023-2407

Name of the Vulnerable Software and Affected Versions The Event Registration Calendar By vcita plugin versions up to and including 3.9.1 Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress (affected versions not specified)

Description The issue is due to missing nonce validation in the ls parse vcita callback() function, making it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request. This can be achieved if an attacker can trick a site administrator into performing an action such as clicking on a link.

Recommendations For The Event Registration Calendar By vcita plugin versions up to and including 3.9.1, update to a version that includes nonce validation in the ls parse vcita callback() function. For Online Payments – Get Paid with PayPal, Square & Stripe plugin, at the moment, there is no information about a newer version that contains a fix for this vulnerability.