Security News > 2023 > June > WordPress Stripe payment plugin bug leaks customer order details
The WooCommerce Stripe Gateway plugin for WordPress was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin.
WooCommerce Stripe Payment is a payment gateway for WordPress e-commerce sites, which currently has 900,000 active installations.
It allows websites to accept payment methods such as Visa, MasterCard, American Express, Apple Pay, and Google Pay through Stripe's payment processing API. Security analysts at Patchstack have discovered that the popular plugin is vulnerable to CVE-2023-34000, an unauthenticated insecure direct object reference flaw that could expose sensitive details to attackers.
The flaw originates from the insecure handling of order objects and a lack of proper access control measures in the plugin's 'javascript params' and 'payment fields' functions.
These code errors make it possible to abuse the functions to display order details of any WooCommerce without checking the permissions of the request or the ownership of the order.
There have been multiple cases of hackers attacking vulnerable WordPress plugins in the past few months, such as Elementor Pro, Advanced Custom Fields, Essential Addons for Elementor, and Beautiful Cookie Consent Banner, just to name a few.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-14 | CVE-2023-34000 | Authorization Bypass Through User-Controlled Key vulnerability in Woocommerce Stripe Payment Gateway Unauth. | 7.5 |