Patchstack, a cybersecurity company, has reported an Insecure Direct Object References (IDOR) vulnerability in the WooCommerce Stripe Gateway plugin. This plugin is the most popular payment plugin for WooCommerce, with over 900,000 active users. The vulnerability was discovered by Patchstack researcher Rafie Muhammad on April 17, 2023, and was patched by WooCommerce on May 30, 2023, in version 7.4.1.
The vulnerability allows any unauthenticated user to view any WooCommerce order’s Personally Identifiable Information (PII) data, including email, user’s name, and full address. The vulnerability was fixed in version 7.4.1 with some backported fixes and assigned CVE-2023-34000. It was assigned a high severity CVSS 3.1 score of 7.5 and added to the Patchstack database on June 13.
The vulnerability affects versions 7.4.0 and below. Although the patch from WooCommerce has been available for two weeks, more than 55% of the plugin’s user base is running on versions older than 7.4, and it’s not clear how many 7.4.x users are on the latest version.
The WooCommerce Stripe Gateway plugin’s changelog for version 7.4.1 includes two short notes and doesn’t elaborate on the severity of the security update. The notes mention adding order key validation and sanitization and escaping some outputs.
Patchstack’s security advisory includes more technical details about underlying vulnerabilities fixed in this update. It is not yet known to have been exploited, but store owners are encouraged to update to the latest 7.4.1 version as soon as possible.
In conclusion, the WooCommerce Stripe Gateway plugin has been found to have a severe vulnerability that can allow unauthorized access to PII data. The vulnerability has been fixed in version 7.4.1, but many users are still running on older versions. Store owners are advised to update to the latest version as soon as possible to avoid any potential security breaches.
