(2 votes, average: 5.00 out of 5)
A security vulnerability was discovered in the WooCommerce Stripe payment gateway plugin, making it possible for an attacker to collect personally identifiable information (PII) from stores using the plugin.
Security analysts rated the attack a high grade of 7.5 on a rating scale of 1 to 10, and it does not require authentication.
Stripe payment gateway plugin, created by WooCommerce, Automattic, WooThemes, and other developers.
It offers a simple way for customers to check out at WooCommerce stores using various credit cards without creating an account.
A Stripe account is automatically generated at checkout, providing customers with a seamless e-commerce purchasing experience.
The plugin uses an application programming interface (API) to function.
An API acts as an intermediary between two applications, enabling smooth order processing from the WooCommerce shop to Stripe through interaction between the two.
The vulnerability was found by security experts at Patchstack, who appropriately informed the right parties involved.
Security professionals at WordPress security companyPatchstack (which discovered the vulnerability) say:
“This plugin has an IDOR vulnerability, which stands for Unauthenticated Insecure Direct Object Reference.
Due to a vulnerability, any user without authentication can view the email, username, and complete address of any WooCommerce order. The described vulnerability was fixed in version 7.4.1 with some backported fixed versions and assigned CVE-2023-34000.
The issues allow an attacker to read order information in the site’s page source or on the front end due to the lacking of order ownership checks.”
More than 900,000 active installations of the plugin exist, and based on the version use statistics that are currently accessible, hundreds of thousands of them could potentially be attacked.
Versions 7.4.0 and earlier are affected by the vulnerability.
The developers upgraded the plugin to version 7.4.1, the most secure version.
According to the official plugin changelog, the following updates to security were made:
“Fix – Add Order Key Validation.
Fix – Add sanitization and escaping some outputs.”
There are specific issues that are required to be resolved.
The first is a lack of validation, often a check to identify whether a request comes from a legitimate source.
The second one is sanitization, which describes a method of preventing any invalid input. For instance, if a field accepts just text, it should be configured so scripts cannot be uploaded.
Patchstack’s security advisory provided more technical information regarding the root causes of the vulnerabilities that this version addresses.
Store owners are strongly advised to upgrade to version 7.4.1.