Vulnerabilities > CVE-2021-39347 - Missing Authorization vulnerability in Paymentplugins Stripe for Woocommerce

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

paymentplugins

CWE-862

NVD

Published: 2021-10-04

Updated: 2021-10-12

Summary

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.

Vulnerable Configurations

Part	Description	Count
Application	Paymentplugins Paymentplugins Stripe FOR Woocommerce *	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347
https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php