CVE-2021-39342
5.3 MEDIUMThe Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX a...
Published: 2021-09-29 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-319, CWE-522
Affected products
| Vendor | Product |
|---|---|
| credova | financial |
Description
The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39342
- [Patch]https://plugins.trac.wordpress.org/changeset/2606811/credova-financial/trunk/credova-financial.php
- [Other]https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39342
- [Patch]https://plugins.trac.wordpress.org/changeset/2606811/credova-financial/trunk/credova-financial.php
- [Other]https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39342
Related CVEs
Same CWE
- CVE-2026-53840 — OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configur... (7.1 HIGH)
- CVE-2026-6517 — Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in ... (6.3 MEDIUM)
- CVE-2026-49949 — CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive crede... (5.3 MEDIUM)
- CVE-2024-45636 — IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user (4.1 MEDIUM)
- CVE-2026-9741 — A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryp... (6.5 MEDIUM)