Sign-up

ID

VAR-201908-0650


CVE

CVE-2019-14979


TITLE

WordPress for WooCommerce PayPal Checkout Payment Gateway Plug-in input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008559

DESCRIPTION

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. The vulnerability stems from the failure of the network system or product to properly validate the input data

Trust: 1.71

sources: NVD: CVE-2019-14979 // JVNDB: JVNDB-2019-008559 // VULHUB: VHN-146979

AFFECTED PRODUCTS

vendor:woocommercemodel:paypal checkout payment gatewayscope:eqversion:1.6.17

Trust: 1.8

sources: JVNDB: JVNDB-2019-008559 // NVD: CVE-2019-14979

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14979
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-14979
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201908-2227
value: MEDIUM

Trust: 0.6

VULHUB: VHN-146979
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-14979
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-146979
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-14979
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-146979 // JVNDB: JVNDB-2019-008559 // CNNVD: CNNVD-201908-2227 // NVD: CVE-2019-14979

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-146979 // JVNDB: JVNDB-2019-008559 // NVD: CVE-2019-14979

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-2227

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201908-2227

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008559

PATCH
title:WooCommerce PayPal Checkout Payment Gatewayurl:https://wordpress.org/plugins/woocommerce-gateway-paypal-express-checkout/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-008559

EXTERNAL IDS
db:NVDid:CVE-2019-14979
Trust: 2.5
db:JVNDBid:JVNDB-2019-008559
Trust: 0.8
db:CNNVDid:CNNVD-201908-2227
Trust: 0.7
db:VULHUBid:VHN-146979
Trust: 0.1
sources:
            
            
            VULHUB: VHN-146979 // 
            
            
            
            JVNDB: JVNDB-2019-008559 // 
            
            
            
            CNNVD: CNNVD-201908-2227 // 
            
            
            
            NVD: CVE-2019-14979

REFERENCES
url:https://gkaim.com/cve-2019-14979-vikas-chaudhary/
Trust: 2.5
url:https://wordpress.org/support/topic/vulnerabilty-in-plugin/#post-11899173
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-14979
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14979
Trust: 0.8
sources:
            
            
            VULHUB: VHN-146979 // 
            
            
            
            JVNDB: JVNDB-2019-008559 // 
            
            
            
            CNNVD: CNNVD-201908-2227 // 
            
            
            
            NVD: CVE-2019-14979

SOURCES
db:VULHUBid:VHN-146979
db:JVNDBid:JVNDB-2019-008559
db:CNNVDid:CNNVD-201908-2227
db:NVDid:CVE-2019-14979

LAST UPDATE DATE
2024-11-23T23:08:17.693000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-146979date:2020-02-10T00:00:00
db:JVNDBid:JVNDB-2019-008559date:2019-09-03T00:00:00
db:CNNVDid:CNNVD-201908-2227date:2020-02-12T00:00:00
db:NVDid:CVE-2019-14979date:2024-11-21T04:27:48.810

SOURCES RELEASE DATE
db:VULHUBid:VHN-146979date:2019-08-29T00:00:00
db:JVNDBid:JVNDB-2019-008559date:2019-09-03T00:00:00
db:CNNVDid:CNNVD-201908-2227date:2019-08-29T00:00:00
db:NVDid:CVE-2019-14979date:2019-08-29T19:15:13.850