WordPress

The WooCommerce Stripe Gateway plugin for WordPress was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin.

WooCommerce Stripe Payment is a payment gateway for WordPress e-commerce sites, which currently has 900,000 active installations. It allows websites to accept payment methods such as Visa, MasterCard, American Express, Apple Pay, and Google Pay through Stripe's payment processing API.

Security analysts at Patchstack have discovered that the popular plugin is vulnerable to CVE-2023-34000, an unauthenticated insecure direct object reference (IDOR) flaw that could expose sensitive details to attackers.

The vulnerability could allow unauthenticated users to view checkout page data, including PII (personally identifiable information), email addresses, shipping addresses, and the user's full name. 

Exposure of the above data is considered severe and could lead to additional attacks, such as attempted account hijacks and credential theft via targeted phishing emails.

The flaw originates from the insecure handling of order objects and a lack of proper access control measures in the plugin's 'javascript_params' and 'payment_fields' functions.

These code errors make it possible to abuse the functions to display order details of any WooCommerce without checking the permissions of the request or the ownership of the order (user matching).

The payment-fields function
The payment-fields function (Patchstack)

The flaw impacts all versions of WooCommerce Stripe Gateway below 7.4.1, which is the version users are recommended to upgrade to.

Patchstack discovered and reported CVE-2023-34000 to the plugin vendor on April 17, 2023, and a patch with version 7.4.1 was released on May 30, 2023.

According to WordPress.org stats, over half of the active installations of the plugin currently use a vulnerable version, which translates to a large attack surface, bound to draw the attention of cybercriminals.

There have been multiple cases of hackers attacking vulnerable WordPress plugins in the past few months, such as Elementor ProAdvanced Custom FieldsEssential Addons for Elementor, and Beautiful Cookie Consent Banner, just to name a few.

WordPress site admins should keep all their plugins up to date, deactivate those that aren't needed/used, and monitor their sites for suspicious activity like modification of files, change of settings, or creation of new admin accounts.

Related Articles:

Hackers exploit LiteSpeed Cache flaw to create WordPress admins

Plugins on WordPress.org backdoored in supply chain attack

Facebook PrestaShop module exploited to steal credit cards

Check Point releases emergency fix for VPN zero-day exploited in attacks

Dev rejects CVE severity, makes his GitHub repo read-only