HQ/EMEAFind out how we can help your business
Researchers discovered that the WooCommerce Stripe Payment plugin for WordPress is vulnerable to a misconfiguration that enables an unauthenticated user to view order details accomplished through the plugin.
Stripe is a payment gateway for WordPress e-commerce websites with nearly a million active installations. This plugin could enable websites to accept transactions through Amex, Apple Pay, Google Pay, MasterCard, and Visa.
The Stripe Payment plugin is susceptible to attacks that exploit a critical vulnerability.
According to a security analyst, the popular plugin, Stripe Payment, is prone to cybercriminal attacks that will leverage CVE-2023-34000. Based on reports, the flaw is an unauthenticated insecure direct object reference that could expose critical information to threat actors.
The critical flaw could let an attacker view the checkout page of an e-commerce website. Moreover, the vulnerability could also allow these actors to have a preview of personally identifiable information (PII), email addresses, users’ full names, and shipping addresses.
Leakage of these details is usually critical since it could result in additional attacks like credential theft through phishing campaigns and account hijacking. The vulnerability came from an insecure handling of order objects and unsustainable proper access control measures in the plugin’s payment fields and parameters functions.
These code misconfigurations allow unauthorised individuals to exploit the functions to display order transaction details of any WooCommerce website without reviewing the permissions of the request or the ownership of the order.
The dangerous part of this new vulnerability is that it impacts all the versions of the WooCommerce Stripe Gateway, which is the patch users should upgrade to.
The version that has the CVE-2023-34000 is a plugin vendor released in April 2023. A patch has also emerged for the version which still carries the critical flaw.
According to WordPress stats, about half of the plugin installations use a flawed version. This detail implies that the vulnerable version covers an enormous attack scope, which could eventually attract numerous malicious threat groups.
Therefore, WordPress website administrators should keep all their plugins updated and deactivate the ones that are not necessary. Lastly, WordPress admins should constantly monitor their websites for suspicious activities like file modification, alteration of settings, or generating new admin accounts.
