Reflected Cross-Site Scripting Vulnerability in Razorpay Subscription Button for WordPress
CVE-2024-13827

6.1MEDIUM

Key Information:

Vendor: Razorpay
Status: Razorpay Subscription Button Elementor Plugin
Vendor: CVE Published:; 5 March 2025

Summary

The Razorpay Subscription Button Elementor Plugin for WordPress contains a vulnerability that allows unauthenticated attackers to execute arbitrary web scripts. This is caused by the improper use of add_query_arg() and remove_query_arg() functions, which do not properly escape URLs. Attackers can exploit this vulnerability by tricking users into clicking on malicious links, leading to unauthorized script executions within legitimate website pages.

Affected Version(s)

Razorpay Subscription Button Elementor Plugin * <= 1.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/razorpay-subsc...

https://wordpress.org/plugins/razorpay-subscription-butto...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Feb 3, 2025

Credit

Peter Thaleikis