CVE-2024-8914

Name of the Vulnerable Software and Affected Versions: Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress versions up to, and including, 2.0.1

Description: The issue is related to Stored Cross-Site Scripting due to the incorrect use of the wp kses allowed html function. This function allows the onclick attribute for certain HTML elements without sufficient restriction or context validation, making it possible for unauthenticated attackers to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page, potentially leading to attacker-controlled code execution.

Recommendations: For versions up to, and including, 2.0.1, update the plugin immediately to a version that addresses this issue. Monitor for patches and apply them as soon as they become available to prevent exploitation. As a temporary workaround, consider restricting access to pages that utilize the vulnerable plugin to minimize the risk of script injection.