Bug in WordPress Stripe payment plugin exposes customer order information
Unauthenticated users can access customer order details due to a bug in the WordPress Stripe payment plugin
A vulnerability has been discovered in the WooCommerce Stripe Gateway plugin for WordPress, which enables unauthenticated users to view order details from the plugin. This popular payment gateway, with 900,000 active installations, allows WordPress e-commerce websites to accept various payment methods through Stripe’s API, including Visa, MasterCard, American Express, Apple Pay, and Google Pay.
The security analysis conducted by Patchstack reveals that the plugin is susceptible to an unauthenticated insecure direct object reference (IDOR) flaw known as CVE-2023-34000. This vulnerability exposes sensitive information to potential attackers. Unauthenticated users can access checkout page data, including personally identifiable information (PII), email addresses, shipping addresses, and customers’ full names.
The exposure of this data is deemed serious as it can lead to further malicious activities, such as attempted account hijacking and credential theft through targeted phishing emails.
The vulnerability stems from the improper handling of order objects and the absence of adequate access control measures within the plugin’s ‘javascript_params’ and ‘payment_fields’ functions. Exploiting these coding errors allows attackers to display order details of any WooCommerce instance without verifying request permissions or order ownership.
All versions of the WooCommerce Stripe Gateway plugin prior to 7.4.1 are affected by this flaw. Users are strongly advised to upgrade to version 7.4.1, which includes a patch to address the vulnerability.
Patchstack identified and reported CVE-2023-34000 to the plugin vendor on April 17, 2023. A fix was released on May 30, 2023, with the 7.4.1 version.
According to WordPress.org statistics, more than half of the active plugin installations currently utilize a vulnerable version. This widespread vulnerability increases the potential target for cybercriminals.
In recent months, there have been several instances of hackers targeting vulnerable WordPress plugins, including Elementor Pro, Advanced Custom Fields, Essential Addons for Elementor, and Beautiful Cookie Consent Banner, among others.
WordPress site administrators should prioritize keeping all plugins up to date, disabling unnecessary plugins, and actively monitoring their websites for suspicious activities like file modifications, setting changes, or the creation of new admin accounts.