Credova_Financial <= 1.4.8 Sensitive Information Disclosure
CVE-2021-39342

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Credova Financial
Vendor: CVE Published:; 29 September 2021

What is CVE-2021-39342?

The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.

Affected Version(s)

Credova_Financial 1.4.8

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2...

x_refsource_MISC

https://plugins.trac.wordpress.org/changeset/2606811/cred...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2021
Vulnerability Reserved
Aug 20, 2021

Credit

Marvin Santos