A security vulnerability in the WooCommerce Stripe Gateway plugin for WordPress shops could allow attackers to access customer data, including names, addresses, and email addresses. Admins are advised to update the plugin to version 7.4.1 to fix the issue.

Vulnerabilities

  • CVE ID: CVE-2023-34000 (risk: “high”)

Anyone who runs a WordPress-based online store with the WooCommerce Stripe Gateway plug-in should update the plug-in to the latest version. If this is not done, attackers could access store internals.

Patch now!

Security researchers from Patchstack warn about a vulnerability (CVE-2023-34000 “high”) in WooCommerce Stripe Gateway. They classify the severity as critical. Admins should therefore act quickly.

The plug-in sets up multiple payment options for customers, such as Apple Pay and credit card, and processes payment directly on a store’s website. WooCommerce Stripe Gateway is used worldwide and has around 900,000 active installations.

The security hole

The flaw is found in the javascript_params and payment_fields functions. This results in errors in the processing of order objects and in combination with the lack of access control. In the end, attackers can view order information such as names, addresses and email addresses of customers.

The developer claims to have closed the vulnerability in the 7.4.1 release.

Sources

Contact & Information

Do you have suggestions for improvement or would you like to have an article translated / created? Please contact me!