Credova_Financial WordPress Plugin: Plaintext Disclosure of API Account Credentials

Credova_Financial WordPress Plugin: Plaintext Disclosure of API Account Credentials

CVE-2021-39342 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.

Learn more about our Wordpress Pen Testing.