Patchstack is reporting an Insecure Direct Object References (IDOR) vulnerability in WooCommerce Stripe Gateway, the preferred WooCommerce Stripe cost plugin with greater than 900,000 energetic customers. It was found by Patchstack researcher Rafie Muhammad on April 17, 2023, and patched by WooCommerce on Might 30, 2023, in model 7.4.1.
The safety advisory describes the vulnerability as follows:
This vulnerability permits any unauthenticated person to view any WooCommnerce order’s PII knowledge together with e mail, person’s identify, and full handle. The described vulnerability was mounted in model 7.4.1 with some backported mounted model and assigned CVE-2023-34000.
It was assigned a high severity CVSS 3.1 score of 7.5 and added to the Patchstack database on June 13.
The vulnerability impacts variations 7.4.0 and under. Though the patch from WooCommerce has been accessible for 2 weeks, greater than 55% of the plugin’s person base is operating on variations older than 7.4 and it’s not clear what number of 7.4.x customers are on the newest model.
The WooCommerce Stripe Gateway plugin’s changelog for model 7.4.1 consists of two brief notes and doesn’t elaborate on the severity of the safety replace:
- Repair – Add Order Key Validation.
- Repair – Add sanitization and escaping some outputs.
Patchstack’s safety advisory consists of extra technical particulars about underlying vulnerabilities mounted on this replace. It isn’t but identified to have been exploited however retailer house owners are inspired to replace to the newest 7.4.1 model as quickly as attainable.