The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers to deactivate the plugin's stripe integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-01-11T08:32:30.451Z
Updated: 2024-08-02T07:24:03.620Z
Reserved: 2023-08-08T18:55:34.251Z
Link: CVE-2023-4248
Vulnrichment
No data.
NVD
Status : Modified
Published: 2024-01-11T09:15:46.613
Modified: 2024-11-21T08:34:42.623
Link: CVE-2023-4248
Redhat
No data.