CVE-2024-10851

Name of the Vulnerable Software and Affected Versions Razorpay Payment Button Plugin versions prior to 2.4.6

Description The Razorpay Payment Button Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add query arg and remove query arg without appropriate escaping on the URL. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Recommendations Update to the latest version to safeguard your site. As a temporary workaround, consider restricting the use of the add query arg and remove query arg functions until a patch is available. Restrict access to pages that use these functions to minimize the risk of exploitation.