Critical Security Flaw Found in WooCommerce Stripe Gateway Plugin

June 14, 2023

A critical security vulnerability has been discovered in the WooCommerce Stripe Gateway WordPress plugin, potentially leading to unauthorized disclosure of sensitive data. The security flaw, identified as CVE-2023-34000, affects plugin versions 7.4.0 and below. The issue was resolved by the plugin's maintainers with the release of version 7.4.1 on May 30, 2023. WooCommerce Stripe Gateway is a popular plugin, with over 900,000 active installations, enabling e-commerce websites to accept various payment methods via Stripe's payment processing API.

Patch security researcher Rafie Muhammad revealed that the plugin is vulnerable to an unauthenticated Insecure direct object references (IDOR) vulnerability, which allows threat actors to bypass authorization and access resources. Specifically, the vulnerability arises from the insecure handling of order objects and insufficient access control mechanisms in the 'javascript_params' and 'payment_fields' functions of the plugin. Muhammad stated, "This vulnerability allows any unauthenticated user to view any WooCommerce order's PII data including email, user's name, and full address."

This discovery comes shortly after the WordPress core team released versions 6.2.1 and 6.2.2 to address five security issues, including an unauthenticated directory traversal vulnerability and an unauthenticated cross-site scripting flaw. Three of these vulnerabilities were found during a third-party security audit.

Latest News

• Chinese UNC4841 Group Targets Barracuda Email Security Gateway Zero-Day Vulnerability
• Microsoft's June 2023 Patch Tuesday Addresses 78 Vulnerabilities, Including 38 RCE Bugs
• Chinese Hackers Exploit VMware ESXi Zero-Day to Compromise VMs
• UK Regulator Ofcom Hit by Clop Ransomware via MOVEit File Transfer Zero-Day
• Fortinet Warns of Potential Exploitation of New FortiOS RCE Vulnerability