Security flaw exposed in WooCommerce Stripe Gateway plugin

A security flaw has been discovered in the WordPress WooCommerce Stripe Gateway plugin, which could lead to unauthorized disclosure of sensitive information. This vulnerability has been tracked under the designation CVE-2023-34000, which affects plugin versions 7.4.0 and earlier.

Fixed the problem and updated the plugin

The plugin development team fixed the issue in version 7.4.1, released on May 30, 2023. This fix is a major step forward in safeguarding user information and preventing possible security compromises.

Features of WooCommerce Stripe Gateway plugin and Impact extension

WooCommerce Stripe Gateway is a plugin that allows ecommerce sites to directly accept various payment methods through the Stripe payment processing API. With over 900,000 active installations, the impact of this vulnerability could be significant, jeopardizing the security of user data and transactions across a wide range of websites.

Technical details and implications of the vulnerability

According to Patch's security researcher, Rafie Muhammad, the plugin suffers from a vulnerability known as insecure unauthenticated direct object references (IDORs), which allows a malicious actor to evade authorization and access resources. In particular, the problem stems from insecure handling of order objects and a lack of proper access control mechanism in the plugin's 'javascript_params' and 'payment_fields' functions. "This vulnerability allows any unauthenticated user to view the PII data of any WooCommerce order, including the user's email, name and full address," said Muhammad. This discovery follows recent security fixes released by the WordPress team, which fixed five security issues, including an unauthenticated directory traversal vulnerability and an unauthenticated cross-site scripting flaw.