WooCommerce Stripe Payment
WooCommerce Strip Payment is a payment gateway for WordPress e-commerce sites, with 900,000 active installs. Through Stripe's payment processing API, it enables websites to accept payment methods like Visa, MasterCard, American Express, Apple Pay, and Google Pay.
About the Vulnerability
Origin of the Flaw
The vulnerability originated from unsafe handling of order objects and an improper access control measures in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions.
Due to these coding errors, it is possible to display order data for any WooCommerce store without first confirming the request's permissions or the order's ownership (user matching).
Consequences of the Flaw
The payment gateway vulnerability could eventually enable unauthorized users access to the checkout page data that includes PII (personally identifiable information), email addresses, shipping addresses and the user’s full name.
Since the data listed above is listed as ‘critical,’ it could further lead to additional cyberattacks wherein the threat actor could attempt account hijacks and credential theft through phishing emails that specifically target the victim.
How to Patch the Vulnerability?
Users of the WooCommerce Strip Gateway plugin should update to version 7.4.1 in order to reduce the risks associated with this vulnerability. On April 17, 2023, specialists immediately notified the plugin vendor of the vulnerability, CVE-2023-34000. On May 30, 2023, a patch that addressed the problem and improved security was made available.
Despite the patch's accessibility, the concerning WordPress.org data point to risk. The truth is that unsafe plugin versions are still being used by more than half of the active installations. The attack surface is greatly increased in this situation, which attracts cybercriminals looking to take advantage of the security flaw.
Adding to this, the gateway needs safety measures to be taken swiftly like updating version 7.4.1 and ensuring that all plugins are constantly updated, and keeping an eye out for any indications of malicious activities. Website supervisors can preserve sensitive user data and defend their online companies from potential cyber threats by giving security measures a first priority.