Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label WooCommerce WordPress Plugins. Show all posts

WordPress: Strip Payment Plugin Flaw Exposes Customers' Order Details


A critical vulnerability has recently been discovered in the WooCommerce Gateway plugin for WordPress. Apparently, it has compromised sensitive customer information related to their orders to unauthorized data. On WordPress e-commerce sites, the plugin supported payment processing for over 900,000 active installations. It was susceptible to the CVE-2023-34000 unauthenticated insecure direct object reference (IDOR) bug.

WooCommerce Stripe Payment

WooCommerce Strip Payment is a payment gateway for WordPress e-commerce sites, with 900,000 active installs. Through Stripe's payment processing API, it enables websites to accept payment methods like Visa, MasterCard, American Express, Apple Pay, and Google Pay.

About the Vulnerability

Origin of the Flaw

The vulnerability originated from unsafe handling of order objects and an improper access control measures in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions.

Due to these coding errors, it is possible to display order data for any WooCommerce store without first confirming the request's permissions or the order's ownership (user matching).

Consequences of the Flaw

The payment gateway vulnerability could eventually enable unauthorized users access to the checkout page data that includes PII (personally identifiable information), email addresses, shipping addresses and the user’s full name.

Since the data listed above is listed as ‘critical,’ it could further lead to additional cyberattacks wherein the threat actor could attempt account hijacks and credential theft through phishing emails that specifically target the victim.

How to Patch the Vulnerability?

Users of the WooCommerce Strip Gateway plugin should update to version 7.4.1 in order to reduce the risks associated with this vulnerability. On April 17, 2023, specialists immediately notified the plugin vendor of the vulnerability, CVE-2023-34000. On May 30, 2023, a patch that addressed the problem and improved security was made available.

Despite the patch's accessibility, the concerning WordPress.org data point to risk. The truth is that unsafe plugin versions are still being used by more than half of the active installations. The attack surface is greatly increased in this situation, which attracts cybercriminals looking to take advantage of the security flaw.

Adding to this, the gateway needs safety measures to be taken swiftly like updating version 7.4.1 and ensuring that all plugins are constantly updated, and keeping an eye out for any indications of malicious activities. Website supervisors can preserve sensitive user data and defend their online companies from potential cyber threats by giving security measures a first priority.

New Vulnerabilities Discovered in 5 WooCommerce WordPress Plugins


The U.S. state authorities Nationwide Vulnerability Database (NVD) has recently warned of vulnerabilities in 5 WooCommerce WordPress plugins, where over 135,000 installations were affected.

Many of the vulnerabilities are rated 9.8, on the scale of 1-10, ranging in severity from moderate to as excessive as Essential. 

The respective vulnerabilities were provided a CVE (Common Vulnerabilities and Exposures) identity number, given to the discovered vulnerabilities. 

Advanced Order Exported For WooCommerce 

The Advanced Order Export for WooCommerce plugin that was installed on as many as 100,000 websites, is vulnerable to a Cross-Site Request Forgery attack (CSRF). 

A CSRF vulnerability is created via a flaw in a website plugin, that enables the threat actor to deceive the online user into conducting an unintentional action. 

Generally, a website browser consists of cookies that notify a website that a user is registered and logged in. The threat actor could assume the privilege levels of an admin, giving him complete access to a website. Consequently, exposing admin’s sensitive customer information. 

This vulnerability could lead to an export file download. It may be reasonable to presume that order data is the type of file an attacker can access, given that the plugin's goal is to export WooCommerce order data. 

1. Official Vulnerability Description: 

The Official vulnerability description states that “Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.” 

This vulnerability could impact all versions of the Advanced Order Export for WooCommerce plugin that is less than or equal to version 3.3.2. 

2. Advanced Dynamic Pricing for WooCommerce: 

The second affected plugin, the Superior Dynamic Pricing plugin for WooCommerce is being put in over 20,000 websites. The plugin was discovered to have two CSRF vulnerabilities, having an impact on all plugin versions lower than 4.1.6. 

The goal of the plugin is to make it simpler for retailers to create low-cost and pricing guidelines. 

The primary vulnerability (CVE-2022-43488) can result in a “rule sort migration.” 

The official description by the NVD reads “Cross-Web site Request Forgery (CSRF) vulnerability in Superior Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress resulting in rule sort migration.” 

3. Advanced Coupons for WooCommerce Coupons plugin: 

The third plugin that was affected, Advanced Coupons for WooCommerce Coupons, has over 10,000 installs. The issue being discovered in this plugin is as well a CSRF vulnerability, affecting all versions less than version 4.5.01. 

The official description by the NVD reads “Cross-Web site Request Forgery (CSRF) vulnerability in Superior Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress main to note dismissal.” 

4. WooCommerce Dropshipping by OPMC – Critical: 

The next affected plugin, named the WooCommerce Dropshipping by OPMC plugin has around 3,000 installations. 

A Critical Unauthenticated SQL injection vulnerability scored 9.8 (on a scale of 1-10), and occurs in versions of this plugin less than version 4.4. The SQL injection vulnerability leads an attacker to manipulate the WordPress database and assume admin-level permissions. Consequently, making changes to the database, erasing, or even downloading sensitive data. 

The NVD while describing this specific plugin vulnerability says, “The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection.” 

5. Role-Based Pricing for WooCommerce: 

This plugin consists of two CSRF vulnerabilities, with over 2,000 installations. 

As noted about another plugin, a CSRF vulnerability involves a threat actor deceiving the admin or other users into clicking on a link or performing some other malicious actions. This could result in the actor acquiring the user’s website permissions levels. This vulnerability is rated as high as 8.8. 

The NVD description of the first vulnerability warns “The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorization and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP” 

Following this, the official NVD description of the second vulnerability says, “The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorization and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog” 

Moreover, the official Role Based Pricing for WooCommerce WordPress plugin changelog states that the plugin is fully patched in version 1.6.2: 

“Changelog 2022-10-01 – version 1.6.2 

* Fixed the Arbitrary File Upload Vulnerability. 

* Fixed the issue of ajax nonce check.” 

Plan of Action

In order to avoid the consequences, users should update all the vulnerable plugins. It is also considered best to back up the website prior to the plugin updates and to test the plugin before updating, if at all feasible.