WordPress Plugin Error Causes Data Leak from Online Store Buyers

Specialists from IB company Patchstack have found a vulnerability in the WooCommerce Stripe gateway plugin for WordPress that could enable unauthorized access to details of orders placed through the plugin. The plugin allows websites to accept multiple payment methods through Stripe payments API and is currently loaded over 900,000 times. The vulnerability discovered has the identifier CVE-2023-34000 and is an unsafe direct link to an object that can reveal confidential data to attackers.

Witnesses of this vulnerability can include unauthorized access to personal data such as email addresses, full name, and delivery addresses, which could lead to further attacks on accounts and phishing emails. This is due to unsafe processing of order objects and a lack of appropriate measures to control the access functions of the plugin.

The vulnerability affects all versions of WooCommerce Strip Gateway below 7.4.1. Vulnerable users are recommended to update to the latest version. Patchstack announced the error of WooCommerce on April 17, 2023, and the version with correction (7.4.1) was released on May 30, 2023.

Half of the active units of the plugin according to WordPress.org statistics are currently using a vulnerable version, leading to a large attack area that will attract attention from cybercriminals. To avoid this, WordPress administrators should update all their plugins, deactivate unused ones, and monitor their sites for suspicious activities such as changing files, settings, or creating new administrator accounts.

/Reports, release notes, official announcements.