| Product and Affected Versions: WooCommerce Stripe Gateway WordPress plugin versions 7.4.0 and below. |
| Severity and CVE ID: CVE-2023-34000 |
| Vulnerability: The vulnerability in the WooCommerce Stripe Gateway WordPress plugin is an unauthenticated Insecure Direct Object References (IDOR) flaw. It arises from the insecure handling of order objects and a lack of proper access control mechanisms in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions. This vulnerability enables unauthorized users to bypass authorization and access sensitive information, including personally identifiable information (PII) such as email, user’s name, and full address associated with any WooCommerce order. |
| How the Attack Works: Bad actors can exploit the unauthenticated IDOR vulnerability by directly referencing and accessing order objects without proper authorization. By manipulating the plugin’s ‘javascript_params’ and ‘payment_fields’ functions, they can retrieve sensitive PII data associated with WooCommerce orders. |
| Remediations: The plugin maintainers addressed the vulnerability in version 7.4.1, released on May 30, 2023. Users of the WooCommerce Stripe Gateway WordPress plugin should ensure they are running version 7.4.1 or above to mitigate the risk of unauthorized disclosure of sensitive information. It is recommended to promptly update the plugin to the latest version provided by the maintainers. |
| References: – Patchstack security researcher Rafie Muhammad’s findings on the vulnerability – Official release notes and documentation from the WooCommerce Stripe Gateway plugin maintainers |
