October 3, 2023

Thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin vulnerability tracked as CVE-2023-34000 could lead to unauthorized disclosure of sensitive information.

The plugin is very popular and has more than 900,000 active installations. It extends WooCommerce, allowing administrators of the e-commerce sites to take payments directly on their store via Stripe’s API.

The vulnerability is an unauthenticated insecure direct object references issue that impacts versions 7.4.0 and below. An attacker can exploit the vulnerability to bypass authorization and access sensitive information.

Advertisements

The issue resides in the javascript_params function and the way order objects are managed, specifically, the experts noticed that there is no proper control to access ‘javascript_params‘ and ‘payment_fields‘ functions.

The issue was addressed by implementing the validation of the fetched ownership. The check is implemented through the is_valid_pay_for_order_endpoint function, which will check the order based on the key and ownership.

Disclosure Timeline

17 April 2023 – Vulnerability was identified and reported to the vendor.
30 May 2023 – WooCommerce Stripe Gateway version 7.4.1 was published to patch the reported issues..
13 June 2023 – Published the article.

Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: