A vulnerability was found in the WooCommerce Stripe payment gateway plugin that could allow an attacker to use the plugin to steal customers’ personally identifiable information (PII) from stores.
Security researchers warn that hackers don’t need authentication to run the exploit, which scores a high 7.5 on a scale of 1 to 10.
WooCommerce Stripe Payment Gateway Plugin
Developed by WooCommerce, Automattic, WooThemes and other contributors, the Stripe payment gateway plugin is installed on over 900,000 websites.
It offers customers in WooCommerce stores an easy way to checkout with different credit cards without opening an account.
A Stripe account is automatically created at checkout, providing customers with a seamless e-commerce shopping experience.
The plugin works through an application programming interface (API).
An API is like a bridge between two software programs that allows the WooCommerce store to interact with the Stripe software to seamlessly route orders from the website to Stripe.
What is the WooCommerce Stripe Plugin Vulnerability?
Patchstack security researchers discovered the vulnerability and responsibly disclosed it to the relevant parties.
According to Patchstack security researchers:
“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.
This vulnerability allows any unauthenticated user to view the PII data of any WooCommerce order, including email, username, and full address.”
Affected versions of the WooCommerce Stripe plugin
The vulnerability affects versions before and equal to version 7.4.0.
The developers associated with the plugin have updated it to version 7.4.1, which is the most secure version.
According to the official plugin changelog, these were the security updates made:
- “Fix – Add order key validation.”
- Fix – Add cleanup and escape of some outputs.”
There are a few issues that needed fixing.
The first appears to be a lack of validation, which is generally a check to verify that a request is from an authorized entity.
The next step is cleanup, which refers to a process of blocking all invalid input. For example, if an input only accepts text, it should be set up to prevent script uploads.
What is mentioned in the changelog is output escaping, which is a way to block unwanted and malicious input.
The non-profit security organization Open Worldwide Application Security Project (OWASP) explains it this way:
“Coding and escape are defensive techniques designed to stop injection attacks.”
The official WordPress API guide explains it like this:
“Escape output is the process of saving output data by removing unwanted data such as malformed HTML or script tags.
This process helps protect your data before it’s made available to the end user.”
Plugin users are strongly advised to update their plugins to version 7.4.1 immediately
Read the Security Advisory at Patchstack:
Unauthenticated IDOR to PII Disclosure in WooCommerce Stripe Gateway Plugin
Featured image from Shutterstock/FedorAnisimov
