CVE-2021-39342

Summary

The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.

Affected Software

VendorProductVersion RangeStatus
Credova FinancialCredova_Financial1.4.8 <= 1.4.8affected

Weaknesses

  • CWE-319: CWE-319 Cleartext Transmission of Sensitive Information

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References