免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

CRITICALCVE-2025-49302CVSS 10

CVE-2025-49302: RCE in Easy Stripe Payment Gateway

平台

wordpress

组件

easy-stripe

修复版本

1.1.1

在NVD查看
保存
正在翻译为您的语言…

CVE-2025-49302 describes a Remote Code Execution (RCE) vulnerability within the Easy Stripe payment gateway. This flaw, stemming from improper code generation control (code injection), allows attackers to include arbitrary code, potentially granting them complete control over affected systems. The vulnerability impacts Easy Stripe versions 0.0 up to and including 1.1, with a fix available in version 1.1.1.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The impact of this RCE vulnerability is severe. An attacker exploiting CVE-2025-49302 can execute arbitrary code on the server hosting the Easy Stripe payment gateway. This could lead to complete system compromise, including data exfiltration (sensitive customer payment information, database credentials), modification of system files, and installation of malware. The attacker could also leverage this access to move laterally within the network, compromising other systems and escalating privileges. Given the nature of a payment gateway, the potential for financial fraud and reputational damage is significant.

利用背景翻译中…

The vulnerability's public disclosure date is 2025-07-04. Exploitation probability is currently assessed as medium, given the RCE nature and the potential for easy exploitation once a suitable payload is crafted. No public Proof-of-Concept (POC) exploits have been observed at the time of writing, but the ease of code inclusion suggests that POCs are likely to emerge. This vulnerability is not currently listed on KEV or EPSS, but its critical severity warrants close monitoring.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.09% (25% 百分位)

CISA SSVC

利用情况none
可自动化yes
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件easy-stripe
供应商Scott Paterson
最低版本0
最高版本1.1
修复版本1.1.1

弱点分类 (CWE)

CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-49302 is to immediately upgrade Easy Stripe to version 1.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a temporary workaround by restricting file access permissions on the server hosting Easy Stripe. Specifically, ensure that the include_path configuration is carefully reviewed and that only trusted directories are included. Implement a Web Application Firewall (WAF) with rules to detect and block attempts to include arbitrary files. After upgrading, verify the fix by attempting to trigger the code inclusion vulnerability and confirming that it is no longer exploitable.

修复方法翻译中…

Actualiza el plugin Easy Stripe a la versión 1.1.1 o superior para mitigar la vulnerabilidad de ejecución remota de código. Asegúrate de realizar una copia de seguridad de tu sitio web antes de actualizar cualquier plugin.

常见问题翻译中…

What is CVE-2025-49302 — RCE in Easy Stripe Payment Gateway?

CVE-2025-49302 is a critical Remote Code Execution (RCE) vulnerability in Easy Stripe, allowing attackers to execute arbitrary code. It affects versions 0.0 through 1.1 and can lead to full system compromise and data theft.

Am I affected by CVE-2025-49302 in Easy Stripe Payment Gateway?

If you are using Easy Stripe version 0.0 through 1.1, you are affected by this vulnerability. Immediately check your version and upgrade to 1.1.1 or later.

How do I fix CVE-2025-49302 in Easy Stripe Payment Gateway?

The recommended fix is to upgrade Easy Stripe to version 1.1.1 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to prevent code inclusion.

Is CVE-2025-49302 being actively exploited?

While no public exploits have been observed, the vulnerability's severity and ease of exploitation suggest that active exploitation is possible. Continuous monitoring is recommended.

Where can I find the official Easy Stripe advisory for CVE-2025-49302?

Refer to the official Easy Stripe website and security advisories for the latest information and updates regarding CVE-2025-49302. Check their documentation and release notes.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描
live免费扫描

立即扫描您的WordPress项目 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...