Critical flaw found in WooCommerce Stripe Gateway Plugin used by +900K sites

Hundreds of thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin.

The WooCommerce Stripe Payment Gateway plugin is affected by a critical vulnerability tracked as CVE-2023-34000.

The Stripe plugin extends WooCommerce allowing administrators of the e-commerce sites to take payments directly on their store via Stripe’s API.

Stripe is a simple way to accept payments online, it supports Visa, MasterCard, American Express, Discover, JCB, and Diners Club cards, even Bitcoin payment channels.

The plugin is very popular and has more than 900,000 active installations.

A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information.

The vulnerability is an unauthenticated Insecure direct object references (IDOR) issue that impacts versions 7.4.0 and below. An attacker can exploit the vulnerability to bypass authorization and access sensitive information.

“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data including email, user’s name, and full address.” reads the advisory published by securityfirm PatchStack. “The described vulnerability was fixed in version 7.4.1 with some backported fixed version and assigned CVE-2023-34000.”

The issue resides in the javascript_params function and the way order objects are managed, specifically, the experts noticed that there is no proper control to access ‘javascript_params‘ and ‘payment_fields‘ functions.

“Notice that the code will fetch an order object to $order variable using the $order_id variable. The $order_id variable is constructed from $wp->query_vars[‘order-pay’]. According to the query_vars documentation, this hook could be used to fetch parameter from the GET parameters. The code then will construct a $stripe_params variable with details from the $order object such as user’s full name and full address.” continues the advsory. “There is no orders ownership check on the rest of the function code and the function will return $order as an object. When traced, the javascript_params variable could be called from the payment_scripts function”

The experts noticed that the issue was addressed by implementing the validation of the fetched order ownership. The check is implemented through the is_valid_pay_for_order_endpoint function which will check the order based on the key and ownership.

Below is the disclosure timeline for the above issue:

17 April 2023 – We found the vulnerability and reached out to the plugin vendor.
30 May 2023 – WooCommerce Stripe Gateway version 7.4.1 was published to patch the reported issues.
13 June 2023 – Added the vulnerabilities to the Patchstack vulnerability database.
13 June 2023 – Published the article.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)