CVE-2024-1719

Name of the Vulnerable Software and Affected Versions Easy PayPal & Stripe Buy Now Button plugin for WordPress versions up to, and including, 1.8.3 Contact Form 7 – PayPal & Stripe Add-on versions up to, and including, 2.1

Description The issue is due to missing or incorrect nonce validation on the wpecpp stripe connect completion function, making it possible for unauthenticated attackers to modify the plugin's settings and change the stripe connection via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link.

Recommendations For Easy PayPal & Stripe Buy Now Button plugin for WordPress versions up to, and including, 1.8.3, update to a version later than 1.8.3. For Contact Form 7 – PayPal & Stripe Add-on versions up to, and including, 2.1, update to a version later than 2.1. As a temporary workaround, consider disabling the wpecpp stripe connect completion function until a patch is available.