The WooCommerce Stripe Gateway plugin for WordPress was discovered to be susceptible to a bug that enables any unauthenticated consumer to view order particulars positioned by means of the plugin.
WooCommerce Stripe Fee is a fee gateway for WordPress e-commerce websites, which presently hasĀ 900,000 lively installations. It permits web sites to simply accept fee strategies akin to Visa, MasterCard, American Categorical, Apple Pay, and Google Pay by means of Stripe’s fee processing API.
Safety analysts atĀ PatchstackĀ have found that the favored plugin is susceptible to CVE-2023-34000, an unauthenticated insecure direct object reference (IDOR) flaw that might expose delicate particulars to attackers.
The vulnerability may permit unauthenticated customers to view checkout web page information, together with PII (personally identifiable data), e mail addresses, transport addresses, and the consumer’s full identify.Ā
Publicity of the above information is taken into account extreme and will result in extra assaults, akin to tried account hijacks and credential theft through focused phishing emails.
The flaw originates from the insecure dealing with of order objects and a scarcity of correct entry management measures within the plugin’s ‘javascript_params’ and ‘payment_fields’ capabilities.
These code errors make it potential to abuse the capabilities to show order particulars of any WooCommerce with out checking the permissions of the request or the possession of the order (consumer matching).
The flaw impacts all variations of WooCommerce Stripe Gateway beneath 7.4.1, which is the model customers are really helpful to improve to.
Patchstack found and reported CVE-2023-34000 to the plugin vendor on April 17, 2023, and a patch with model 7.4.1 was launched on Could 30, 2023.
In response toĀ WordPress.org stats, over half of the lively installations of the plugin presently use a susceptible model, which interprets to a big assault floor, sure to attract the eye of cybercriminals.
There have been a number of instances of hackers attacking susceptible WordPress plugins prior to now few months, akin toĀ Elementor Professional,Ā Superior Customized Fields,Ā Important Addons for Elementor, andĀ Lovely Cookie Consent Banner, simply to call a number of.
WordPress web site admins ought to preserve all their plugins updated, deactivate those who aren’t wanted/used, and monitor their websites for suspicious exercise like modification of information, change of settings, or creation of recent admin accounts.
