October 3, 2023

Thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin vulnerability tracked as CVE-2023-34000 could lead to unauthorized disclosure of sensitive information.

The plugin is very popular and has more than 900,000 active installations. It extends WooCommerce, allowing administrators of the e-commerce sites to take payments directly on their store via Stripe’s API.

The vulnerability is an unauthenticated insecure direct object references issue that impacts versions 7.4.0 and below. An attacker can exploit the vulnerability to bypass authorization and access sensitive information.


The issue resides in the javascript_params function and the way order objects are managed, specifically, the experts noticed that there is no proper control to access ‘javascript_params‘ and ‘payment_fields‘ functions.

The issue was addressed by implementing the validation of the fetched ownership. The check is implemented through the is_valid_pay_for_order_endpoint function, which will check the order based on the key and ownership.

Disclosure Timeline

17 April 2023 – Vulnerability was identified and reported to the vendor.
30 May 2023 – WooCommerce Stripe Gateway version 7.4.1 was published to patch the reported issues..
13 June 2023 – Published the article.

Leave a Reply

%d bloggers like this: