Hundreds of thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin.
The WooCommerce Stripe Payment Gateway plugin is affected by a critical vulnerability tracked as CVE-2023-34000.
The Stripe plugin extends WooCommerce allowing administrators of the e-commerce sites to take payments directly on their store via Stripe’s API.
Stripe is a simple way to accept payments online, it supports Visa, MasterCard, American Express, Discover, JCB, and Diners Club cards, even Bitcoin payment channels.
The plugin is very popular and has more than 900,000 active installations.
A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information.
The vulnerability is an unauthenticated Insecure direct object references (IDOR) issue that impacts versions 7.4.0 and below. An attacker can exploit the vulnerability to bypass authorization and access sensitive information.
“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data including email, user’s name, and full address.” reads the advisory published by securityfirm PatchStack. “The described vulnerability was fixed in version 7.4.1 with some backported fixed version and assigned CVE-2023-34000.”
The experts noticed that the issue was addressed by implementing the validation of the fetched order ownership. The check is implemented through the
is_valid_pay_for_order_endpoint function which will check the order based on the key and ownership.
Below is the disclosure timeline for the above issue:
17 April 2023 – We found the vulnerability and reached out to the plugin vendor.
30 May 2023 – WooCommerce Stripe Gateway version 7.4.1 was published to patch the reported issues.
13 June 2023 – Added the vulnerabilities to the Patchstack vulnerability database.
13 June 2023 – Published the article.
(SecurityAffairs – hacking, WordPress)
The post Critical flaw found in WooCommerce Stripe Gateway Plugin used by +900K sites appeared first on Security Affairs.