Critical Security Flaw Discovered in Stripe Payment Plugin for WooCommerce

August 2, 2023

A significant security vulnerability, known as CVE-2023-3162, has been identified in the Stripe Payment Plugin for WooCommerce. This flaw could potentially allow an unauthenticated user to log in as any customer who has made a purchase. The severity of this vulnerability is underscored by its CVSS score of 9.8, which denotes a high level of risk.

The Stripe Payment Plugin for WooCommerce plays a crucial role in the digital retail infrastructure, facilitating businesses to accept a wide range of payment methods. This includes traditional credit and debit cards like Mastercard, Visa, American Express, Discover, JCB, and Diners Club, as well as modern alternatives such as Alipay, Apple Pay, Google Pay, SEPA, Klarna, Afterpay/Clearpay, Sofort, iDEAL, and WeChat Pay. All these transactions are securely processed through the Stripe Payment Gateway.

The plugin is designed to offer seamless and secure transactions. Once activated, it integrates Stripe checkout into the online store of the merchant, providing a safe platform for customers to finalize their transactions using credit or debit cards. The plugin, which boasts over 10,000 active installations, pledges a smooth payment experience. However, a serious flaw has been detected under the surface.

The vulnerability, tagged as CVE-2023-3162, is rooted in how the plugin manages user authentication during a Stripe checkout. The plugin fails to accurately verify the user provided, thereby allowing an attacker to circumvent authentication and log in as any user who has made a purchase. If an attacker manages to exploit this flaw, they could potentially access any user account that has placed an order. This could expose sensitive data like credit card numbers, order history, and personal details. Moreover, the attacker could use the compromised account to execute unauthorized purchases or access other sensitive sections of the website.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.