Connect with us

Hi, what are you looking for?

Cyber Security

Critical Vulnerability in WordPress Stripe Payment Plugin Exposes Customer Data

The WordPress Stripe Payment Gateway plugin has been vulnerable to Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability. WooCommerce developed this plugin. 

The plugin version is 7.4.1 and has nearly 900K installations worldwide. Usually, payments are redirected to externally hosted checkout pages where the checkout and payment process happens.

The use of this plugin is to make customers stay on the wordpress site during the payment. 

CVE-2023-34000: IDOR vulnerability in WooCommerce Stripe Payment Gateway plugin

A threat actor can exploit the javascript_params and payment_fields function to retrieve sensitive information from the database, including Personally Identifiable Information (PII), email addresses, shipping addresses, and the user’s full name reported PathStack.

Exposure of the above data is considered serious and could lead to more attacks, such as scam emails that try to take over accounts and steal credentials.

Affected Products

WooCommerce Stripe Gateway Plugin version 7.4.0 and below

Fixed in Version

WooCommerce Stripe Gateway Plugin version 7.4.1

Vulnerability Details

The plugin’s ‘javascript_params’ and ‘payment_fields’ functions are vulnerable due to improper order object handling and a lack of access control mechanisms.

Due to these flaws in the code, any WooCommerce order information can be viewed by an unauthorized third party without first verifying the legitimacy of the request or the rightful owner of the order.

Flaw resides in Javascript_params

Statistics compiled by WordPress.org show that more than half of all active plugin installations use a vulnerable version.

The necessary updates to address this flaw have been made available by WooCommerce. Users are advised to upgrade to version 7.4.1, which addresses this flaw.

Copyright 2021 Associated Press. All rights reserved.

Source: https://cybersecuritynews.com/stripe-payment-plugin-flaw/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

An open source project designed to help security researchers fingerprint WordPress Plugins is seeking feedback and contributors. Currently in beta mode, WPHash is a free-to-use web...

Cyber Security

Researchers have gone public with a six-year-old blind server-side request forgery (SSRF) vulnerability in a WordPress Core feature that could enable distributed denial-of-service (DDoS) attacks. In a...

Cyber Security

UPDATED WordPress websites running BackupBuddy have been urged to update the plugin amid reports of active exploitation of a high severity arbitrary file download/read vulnerability. BackupBuddy,...

Cyber Security

WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distribute malware that installs the NetSupport RAT and the RaccoonStealer password-stealing Trojan. DDoS...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO