Security Affairs
AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical flaw found in WooCommerce Stripe Gateway Plugin used by +900K sites

Hundreds of thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin. The WooCommerce Stripe Payment Gateway plugin is affected by a critical vulnerability tracked as CVE-2023-34000. The Stripe plugin extends WooCommerce allowing administrators of the e-commerce sites to take payments directly on their […]

WooCommerce Stripe Payment Gateway

Hundreds of thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin.

The WooCommerce Stripe Payment Gateway plugin is affected by a critical vulnerability tracked as CVE-2023-34000.

The Stripe plugin extends WooCommerce allowing administrators of the e-commerce sites to take payments directly on their store via Stripe’s API.

Stripe is a simple way to accept payments online, it supports Visa, MasterCard, American Express, Discover, JCB, and Diners Club cards, even Bitcoin payment channels.

The plugin is very popular and has more than 900,000 active installations.

WooCommerce Stripe Payment Gateway

A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information.

The vulnerability is an unauthenticated Insecure direct object references (IDOR) issue that impacts versions 7.4.0 and below. An attacker can exploit the vulnerability to bypass authorization and access sensitive information.

“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data including email, user’s name, and full address.” reads the advisory published by securityfirm PatchStack. “The described vulnerability was fixed in version 7.4.1 with some backported fixed version and assigned CVE-2023-34000.”

The issue resides in the javascript_params function and the way order objects are managed, specifically, the experts noticed that there is no proper control to access ‘javascript_params‘ and ‘payment_fields‘ functions.

“Notice that the code will fetch an order object to $order variable using the $order_id variable. The $order_id variable is constructed from $wp->query_vars[‘order-pay’]. According to the query_vars documentation, this hook could be used to fetch parameter from the GET parameters. The code then will construct a $stripe_params variable with details from the $order object such as user’s full name and full address.” continues the advsory. “There is no orders ownership check on the rest of the function code and the function will return $order as an object. When traced, the javascript_params variable could be called from the payment_scripts function”

The experts noticed that the issue was addressed by implementing the validation of the fetched order ownership. The check is implemented through the is_valid_pay_for_order_endpoint function which will check the order based on the key and ownership.

Below is the disclosure timeline for the above issue:

17 April 2023 – We found the vulnerability and reached out to the plugin vendor.
30 May 2023 – WooCommerce Stripe Gateway version 7.4.1 was published to patch the reported issues.
13 June 2023 – Added the vulnerabilities to the Patchstack vulnerability database.
13 June 2023 – Published the article.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)