In the world of WordPress e-commerce, the WooCommerce Stripe Payment plugin plays a vital role by serving as a payment gateway. With an impressive count of 900,000 active installations, this plugin enables online stores to accept a variety of payment methods including Visa, MasterCard, American Express, Apple Pay, and Google Pay.
However, a recent investigation has uncovered a critical flaw in the plugin, rendering it susceptible to a bug that allows unauthorised individuals to gain access to sensitive order details without any authentication.
Upon further research, it has been revealed that this widely utilised plugin carries a substantial security vulnerability, denoted as CVE-2023-34000. This flaw falls under the category of an unauthenticated insecure direct object reference (IDOR), magnifying the gravity of the situation. Its existence poses an imminent threat as it opens the gateway for malevolent actors to potentially access and exploit sensitive information.
This critical vulnerability presents a significant risk, granting unauthenticated users the ability to access checkout page data. This includes highly sensitive personally identifiable information (PII) such as email addresses, shipping addresses, and the user’s full name.
The data exposure is classed as severe and has the potential to result in further security breaches, including attempted account hijackings and targeted phishing emails aimed at stealing credentials.
The vulnerability arises from the insecure handling of order objects and the absence of adequate access control measures within the plugin's 'javascript_params' and 'payment fields' functions.
These coding mistakes enable the exploitation of these functions to reveal order specifics of any WooCommerce instance without verifying the permissions of the request or confirming the order's ownership (user matching).
The vulnerability affects all versions of WooCommerce Stripe Gateway prior to 7.4.1. It is strongly advised for users to upgrade to version 7.4.1 as a recommended solution.
CVE-2023-34000 was uncovered and reported to the plugin vendor by Patchstack on April 17, 2023. Following this, a patch was released on May 30th, 2023, with version 7.4.1.
Based on statistics from WordPress.org, more than half of the active installations of the plugin are presently utilising an exposed version. This significantly broadens the potential target for cybercriminals and increases the likelihood of their interest in exploiting the vulnerability.
In Conclusion
To mitigate the risk of vulnerabilities like the one described, WordPress site administrators should ensure they consistently update all plugins, deactivate unnecessary ones, and maintain vigilance by monitoring their sites for any signs of suspicious activity, such as file modifications, changes to settings, or unauthorised creation of new admin accounts.
Employing the services of a cybersecurity company can greatly aid in preventing and addressing these types of issues. These companies have expertise in identifying and patching vulnerabilities, implementing robust security measures, and providing continuous monitoring and incident response. By partnering with a cybersecurity company to complete regular penetration testing, site administrators can enhance their overall security posture, reduce the likelihood of successful attacks, and swiftly address any potential threats or breaches that may arise.
