Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-53759

CVE-2024-53759: ArCa Payment Gateway Stored XSS Flaw

CVE-2024-53759 is a stored XSS vulnerability in ArCa Payment Gateway by Planet Studio that allows attackers to inject malicious scripts. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-53759 Overview

CVE-2024-53759 is a stored cross-site scripting (XSS) vulnerability in the Planet Studio ArCa Payment Gateway plugin for WordPress. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. An attacker can chain a Cross-Site Request Forgery (CSRF) condition with the XSS sink to inject persistent JavaScript into pages rendered by the plugin. The issue affects all versions of the plugin from initial release through 1.3.1. Successful exploitation requires victim interaction, such as clicking a crafted link while authenticated to the target WordPress site.

Critical Impact

An attacker can persist malicious JavaScript inside the WordPress admin context, enabling session theft, administrative action abuse, and downstream compromise of site visitors.

Affected Products

  • Planet Studio ArCa Payment Gateway WordPress plugin (arca-payment-gateway)
  • All versions up to and including 1.3.1
  • WordPress sites with the plugin installed and active

Discovery Timeline

  • 2024-12-02 - CVE-2024-53759 published to the National Vulnerability Database
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-53759

Vulnerability Analysis

The vulnerability is a stored XSS issue accessible through a CSRF vector. The plugin accepts input destined for rendering inside the WordPress admin interface or front-end payment pages without applying sufficient sanitization or output encoding. Because the input is stored in the database and reflected later during page generation, the injected payload executes whenever an authenticated user or site visitor loads the affected page.

The CSRF dimension means the plugin does not enforce anti-CSRF tokens on the vulnerable settings or configuration endpoint. An unauthenticated attacker can craft a malicious page that triggers a state-changing request when a logged-in administrator visits it. The browser submits the request with valid session cookies, persisting the attacker's payload.

The EPSS probability is 0.231% with a percentile of 45.9, indicating limited observed exploitation activity at this time.

Root Cause

The plugin code paths handling configuration input fail to apply WordPress sanitization helpers such as sanitize_text_field() on input and esc_html() or esc_attr() on output. The vulnerable endpoints also lack wp_verify_nonce() checks, removing the standard WordPress CSRF protection.

Attack Vector

Exploitation occurs over the network and requires user interaction. The attacker hosts a malicious page containing a hidden form or fetch request targeting the plugin's vulnerable endpoint. When a logged-in WordPress administrator visits the page, the request executes under their session, storing attacker-controlled markup. The payload then runs whenever the affected admin or storefront page is rendered.

The vulnerability description and Patchstack advisory do not include public exploit code. Refer to the Patchstack Vulnerability Report for additional technical context.

Detection Methods for CVE-2024-53759

Indicators of Compromise

  • Unexpected <script>, onerror=, or onload= strings stored in WordPress options or plugin-specific tables related to arca-payment-gateway
  • New or modified administrator accounts created shortly after an admin session loaded a third-party page
  • Outbound requests from administrator browsers to unfamiliar domains immediately after visiting WordPress admin pages

Detection Strategies

  • Audit plugin configuration values for HTML, JavaScript event handlers, or encoded payloads such as <script>
  • Review WordPress access logs for POST requests to plugin endpoints lacking a valid _wpnonce parameter
  • Inspect referer headers on administrative state-changing requests to identify off-site origins

Monitoring Recommendations

  • Enable WordPress audit logging to capture plugin option changes and the user account responsible
  • Monitor for anomalous JavaScript execution in administrator browsers using endpoint browser telemetry
  • Alert on plugin file integrity changes and unexpected modifications to wp_options rows owned by the plugin

How to Mitigate CVE-2024-53759

Immediate Actions Required

  • Update the ArCa Payment Gateway plugin to a version newer than 1.3.1 once the vendor publishes a fix
  • Deactivate and remove the plugin if a patched release is not yet available and the payment gateway is not in active use
  • Review plugin configuration entries and remove any unexpected HTML or script content
  • Force password resets for WordPress administrators who may have visited untrusted sites while logged in

Patch Information

At the time of NVD publication on 2024-12-02, the advisory tracked the issue through version 1.3.1 with no fixed version documented. Administrators should consult the Patchstack Vulnerability Report for the latest fix status and apply the vendor update as soon as it becomes available.

Workarounds

  • Restrict access to /wp-admin/ using IP allowlists or VPN-only access to limit CSRF exposure
  • Deploy a web application firewall rule that strips script tags and event-handler attributes from requests targeting the plugin
  • Require administrators to use a dedicated browser profile for WordPress administration to reduce cross-site request risk
  • Enforce Content Security Policy headers that disallow inline script execution on WordPress admin pages

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne