CVE-2024-1719 in Easy PayPal & Stripe Buy Now Button Plugin
Summary
by MITRE • 02/28/2024
The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the 'wpecpp_stripe_connect_completion' function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2025
The vulnerability identified as CVE-2024-1719 affects popular WordPress plugins that facilitate payment processing through PayPal and Stripe integrations. This security flaw exists in the Easy PayPal & Stripe Buy Now Button plugin and the Contact Form 7 – PayPal & Stripe Add-on, specifically impacting versions up to and including 1.8.3 and 2.1 respectively. The core issue stems from inadequate security controls within the plugin's administrative interfaces, creating a significant risk for WordPress site owners who rely on these payment processing solutions for their online transactions.
The technical flaw manifests in the absence of proper nonce validation within the 'wpecpp_stripe_connect_completion' function, which is responsible for handling Stripe connection configurations. Nonces serve as critical security tokens that verify the authenticity of administrative actions and prevent unauthorized modifications to plugin settings. Without this validation mechanism, attackers can craft malicious requests that appear to originate from legitimate administrative sessions. This weakness aligns with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities where insufficient validation allows unauthorized actions to be performed on behalf of authenticated users.
The operational impact of this vulnerability extends beyond simple configuration changes, as successful exploitation could result in complete compromise of payment processing capabilities. An attacker who successfully exploits this vulnerability could alter Stripe connection details, potentially redirecting payments to their own accounts or disabling payment processing entirely. This creates significant financial risk for website operators who depend on these plugins for their commerce operations, while also potentially exposing sensitive customer payment data that flows through compromised systems. The vulnerability is particularly dangerous because it requires minimal user interaction to exploit, as administrators can be tricked into clicking malicious links that automatically perform the unauthorized configuration changes.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that include proper nonce validation mechanisms. System administrators should also implement additional security layers such as two-factor authentication for administrative access, regular security audits of installed plugins, and monitoring for unauthorized configuration changes. The ATT&CK framework categorizes this vulnerability under T1548.003 for Abusing Sudo or Root Privileges, though in this context it represents a more direct path to administrative compromise through forged requests. Organizations should also consider implementing web application firewalls that can detect and block suspicious administrative requests, while maintaining regular backups to ensure quick recovery from potential compromise scenarios. Security teams should conduct comprehensive vulnerability assessments to identify other plugins or components that may exhibit similar nonce validation issues, as this represents a common pattern in WordPress plugin security implementations that requires careful attention to proper authentication mechanisms.