Critical Vulnerability reported in WooCommerce Stripe Gateway Plugin

A security vulnerability has been discovered in the WooCommerce Stripe Gateway WordPress plugin, which could potentially expose sensitive information without authorization. This flaw, known as CVE-2023-34000, affects versions 7.4.0 and earlier.

The plugin maintainers have addressed the issue in version 7.4.1.

WooCommerce Stripe Gateway has over 900,000 active installations.

The plugin suffers from an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This vulnerability allows an attacker to reference an object lika a website path directly and gain access to resources that should be secured behind proper authorization.

This vulnerability enables any unauthenticated user to view personally identifiable information (PII) data associated with any WooCommerce order, including email addresses, user names, and complete addresses.

This discovery comes shortly after the WordPress core team released versions 6.2.1 and 6.2.2 to address several security issues, including an unauthenticated directory traversal vulnerability and an unauthenticated cross-site scripting flaw.