The WooCommerce Stripe Gateway plugin for WordPress, used by 900,000 e-commerce sites, has been found to have a vulnerability that allows unauthenticated users to view order details.
Furthermore, security analysts at Patchstack discovered the flaw, identified as CVE-2023-34000, which stems from an unauthenticated insecure direct object reference (IDOR) flaw in the plugin. This flaw could lead to the exposure of personally identifiable information (PII), including email addresses, shipping addresses, and full names.
The vulnerability poses a severe risk as it could enable additional attacks such as account hijacking and credential theft through targeted phishing emails. The flaw is a result of insecure handling of order objects and a lack of proper access control measures in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions.
All versions of WooCommerce Stripe Gateway below 7.4.1 are affected, and users are strongly advised to upgrade to the recommended version.
Additionally, WordPress.org statistics indicate that more than half of the active installations of the plugin currently use a vulnerable version, making it an attractive target for cybercriminals. This vulnerability adds to a series of recent incidents involving hackers targeting vulnerable WordPress plugins.
To mitigate the risk, WordPress site administrators should regularly update their plugins, deactivate those that are unnecessary, and monitor their websites for any suspicious activities such as file modifications, changes in settings, or unauthorized creation of admin accounts.
