The plugin’s Stripe Connect callback writes the seedprod_stripe_connect_token option from a GET parameter without a nonce or capability check. An attacker can trick an admin into visiting a crafted URL and overwrite the connected Stripe token
This vulnerability affects the following application versions:
- Website Builder by SeedProd 6.15.6
- Website Builder by SeedProd 6.15.7
- Website Builder by SeedProd 6.15.13.1