Critical Security Vulnerability Found in Stripe Gateway WooCommerce Plugin
A security flaw has been discovered in the WordPress WooCommerce Stripe Gateway plugin that could lead to unauthorized disclosure of sensitive information.
Defect, tracked as CVE-2023-34000, affecting versions 7.4.0 and earlier. It was handled by the plugin maintainer in version 7.4.1, which shipped on May 30, 2023.
WooCommerce Line Gateway possible e-commerce website to instantly accept multiple payment methods via Stripe’s payment processing API. It boasts over 900,000 active installations.
According to security researcher Patch Rafie Muhammad, this plugin suffers from so-called unauthenticated Insecure direct object references (DRY) vulnerabilities, which allow bad actors to bypass authorization and access resources.
In particular, the problem stems from insecure handling of the order object and the lack of adequate access control mechanisms in the ‘javascript_params’ and ‘payment_fields’ plugin functions.
“This vulnerability allows any unauthenticated user to view the PII data of WooCommnerce orders including email, username and full address,” Muhammad said.
Development comes a few weeks after the WordPress core team was released 6.2.1 And 6.2.2 to address five security issues, including the unauthenticated directory traversal vulnerability and the unauthenticated cross-site scripting flaw. Three bugs were discovered during a third party security audit.
