Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2025-49302: RCE in Easy Stripe Payment Gateway
Platform
wordpress
Component
easy-stripe
Opgelost in
1.1.1
CVE-2025-49302 describes a Remote Code Execution (RCE) vulnerability within the Easy Stripe payment gateway. This flaw, stemming from improper code generation control (code injection), allows attackers to include arbitrary code, potentially granting them complete control over affected systems. The vulnerability impacts Easy Stripe versions 0.0 up to and including 1.1, with a fix available in version 1.1.1.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this RCE vulnerability is severe. An attacker exploiting CVE-2025-49302 can execute arbitrary code on the server hosting the Easy Stripe payment gateway. This could lead to complete system compromise, including data exfiltration (sensitive customer payment information, database credentials), modification of system files, and installation of malware. The attacker could also leverage this access to move laterally within the network, compromising other systems and escalating privileges. Given the nature of a payment gateway, the potential for financial fraud and reputational damage is significant.
Uitbuitingscontextwordt vertaald…
The vulnerability's public disclosure date is 2025-07-04. Exploitation probability is currently assessed as medium, given the RCE nature and the potential for easy exploitation once a suitable payload is crafted. No public Proof-of-Concept (POC) exploits have been observed at the time of writing, but the ease of code inclusion suggests that POCs are likely to emerge. This vulnerability is not currently listed on KEV or EPSS, but its critical severity warrants close monitoring.
Dreigingsinformatie
Exploit Status
EPSS
0.09% (25% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-49302 is to immediately upgrade Easy Stripe to version 1.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a temporary workaround by restricting file access permissions on the server hosting Easy Stripe. Specifically, ensure that the include_path configuration is carefully reviewed and that only trusted directories are included. Implement a Web Application Firewall (WAF) with rules to detect and block attempts to include arbitrary files. After upgrading, verify the fix by attempting to trigger the code inclusion vulnerability and confirming that it is no longer exploitable.
Hoe te verhelpenwordt vertaald…
Actualiza el plugin Easy Stripe a la versión 1.1.1 o superior para mitigar la vulnerabilidad de ejecución remota de código. Asegúrate de realizar una copia de seguridad de tu sitio web antes de actualizar cualquier plugin.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-49302 — RCE in Easy Stripe Payment Gateway?
CVE-2025-49302 is a critical Remote Code Execution (RCE) vulnerability in Easy Stripe, allowing attackers to execute arbitrary code. It affects versions 0.0 through 1.1 and can lead to full system compromise and data theft.
Am I affected by CVE-2025-49302 in Easy Stripe Payment Gateway?
If you are using Easy Stripe version 0.0 through 1.1, you are affected by this vulnerability. Immediately check your version and upgrade to 1.1.1 or later.
How do I fix CVE-2025-49302 in Easy Stripe Payment Gateway?
The recommended fix is to upgrade Easy Stripe to version 1.1.1 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to prevent code inclusion.
Is CVE-2025-49302 being actively exploited?
While no public exploits have been observed, the vulnerability's severity and ease of exploitation suggest that active exploitation is possible. Continuous monitoring is recommended.
Where can I find the official Easy Stripe advisory for CVE-2025-49302?
Refer to the official Easy Stripe website and security advisories for the latest information and updates regarding CVE-2025-49302. Check their documentation and release notes.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Scan nu uw WordPress project — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...