- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
PII Exposed: Unauthenticated IDOR in WooCommerce Stripe Plugin
A critical security vulnerability has been discovered in the popular WooCommerce Stripe Gateway plugin, potentially exposing users’ personally identifiable information (PII).
The vulnerability, an unauthenticated insecure direct object reference (IDOR), affects versions 7.4.0 and below of the plugin, which boasts over 900,000 active installations.
“This plugin is a WordPress plugin which allows you to accept payments directly on a store for web and mobile,” wrote security researcher Rafie Muhammad from Patchstack in an advisory published on Tuesday.
“With the plugin, customers can stay in the store during checkout instead of being redirected to an externally hosted checkout page.”
Muhammad added that the flaw could allow unauthenticated users to access user information associated with WooCommerce orders.
“This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data, including email, user’s name, and full address.”
From a technical standpoint, the vulnerability stems from inadequate validation of order ownership and can be exploited by manipulating query parameters. By leveraging this flaw, attackers can extract PII data by bypassing authentication controls.
In the Patchstack advisory, Muhammad said the security firm found and disclosed the flaw to WooCommerce on April 17 2023.
The plugin vendor then released a patch to address the vulnerability on May 30. WooCommerce Stripe Gateway version 7.4.1 or subsequent versions should be installed immediately to mitigate the risk.
“If you’re a WooCommerce Stripe Gateway user, please update the plugin to at least version 7.4.1,” Muhammad said.
Despite the patches, the security researcher warned website owners and developers using the WooCommerce Stripe Gateway plugin to stay vigilant and always ascertain access control around order objects by checking the order key and ownership.
The WooCommerce patches come a couple of months after the firm behind the popular WordPress plugin Elementor updated its product to fix a critical vulnerability that could be exploited to change the appearance of websites.
