LifterLMS PayPal < 1.4.0 - Reflected Cross-Site Scripting
CVE-2022-1250

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Lifterlms Paypal
Vendor: CVE Published:; 2 May 2022

Summary

The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue

Affected Version(s)

LifterLMS Paypal 1.4.0

References

https://wpscan.com/vulnerability/1f8cb0b9-7447-44db-8d13-...

x_refsource_MISC

https://make.lifterlms.com/2022/04/04/lifterlms-paypal-ve...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 2, 2022
Vulnerability Reserved
Apr 6, 2022

Credit

Brandon James Roldan