A significant security vulnerability, known as CVE-2023-3162, has been identified in the Stripe Payment Plugin for WooCommerce. This flaw could potentially allow an unauthenticated user to log in as any customer who has made a purchase. The severity of this vulnerability is underscored by its CVSS score of 9.8, which denotes a high level of risk.
The Stripe Payment Plugin for WooCommerce plays a crucial role in the digital retail infrastructure, facilitating businesses to accept a wide range of payment methods. This includes traditional credit and debit cards like Mastercard, Visa, American Express, Discover, JCB, and Diners Club, as well as modern alternatives such as Alipay, Apple Pay, Google Pay, SEPA, Klarna, Afterpay/Clearpay, Sofort, iDEAL, and WeChat Pay. All these transactions are securely processed through the Stripe Payment Gateway.
The plugin is designed to offer seamless and secure transactions. Once activated, it integrates Stripe checkout into the online store of the merchant, providing a safe platform for customers to finalize their transactions using credit or debit cards. The plugin, which boasts over 10,000 active installations, pledges a smooth payment experience. However, a serious flaw has been detected under the surface.
The vulnerability, tagged as CVE-2023-3162, is rooted in how the plugin manages user authentication during a Stripe checkout. The plugin fails to accurately verify the user provided, thereby allowing an attacker to circumvent authentication and log in as any user who has made a purchase. If an attacker manages to exploit this flaw, they could potentially access any user account that has placed an order. This could expose sensitive data like credit card numbers, order history, and personal details. Moreover, the attacker could use the compromised account to execute unauthorized purchases or access other sensitive sections of the website.