Critical Security Flaw Found in WooCommerce Stripe Gateway Plugin

June 14, 2023

A critical security vulnerability has been discovered in the WooCommerce Stripe Gateway WordPress plugin, potentially leading to unauthorized disclosure of sensitive data. The security flaw, identified as CVE-2023-34000, affects plugin versions 7.4.0 and below. The issue was resolved by the plugin's maintainers with the release of version 7.4.1 on May 30, 2023. WooCommerce Stripe Gateway is a popular plugin, with over 900,000 active installations, enabling e-commerce websites to accept various payment methods via Stripe's payment processing API.

Patch security researcher Rafie Muhammad revealed that the plugin is vulnerable to an unauthenticated Insecure direct object references (IDOR) vulnerability, which allows threat actors to bypass authorization and access resources. Specifically, the vulnerability arises from the insecure handling of order objects and insufficient access control mechanisms in the 'javascript_params' and 'payment_fields' functions of the plugin. Muhammad stated, "This vulnerability allows any unauthenticated user to view any WooCommerce order's PII data including email, user's name, and full address."

This discovery comes shortly after the WordPress core team released versions 6.2.1 and 6.2.2 to address five security issues, including an unauthenticated directory traversal vulnerability and an unauthenticated cross-site scripting flaw. Three of these vulnerabilities were found during a third-party security audit.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.