The WooCommerce Stripe payment gateway plugin was found to have a vulnerability that permits attackers to steal customer personally identifiable information (PII) from stores using the plugin.
Security researchers warn that hackers do not need authentication to exploit this vulnerability, which received a high rating of 7.5 on a scale of 1 to 10.
WooCommerce Stripe Payment Gateway Plugin
The Stripe payment gateway plugin, developed by WooCommerce, Automattic, WooThemes, and other contributors, is installed on over 900,000 websites.
It offers an easy checkout process for customers at WooCommerce stores, supporting multiple credit cards and account-free transactions.
A Stripe account is automatically created at checkout, providing customers with a seamless ecommerce shopping experience.
The plugin operates through an application programming interface (API).
An API acts as a bridge between two software systems, allowing the WooCommerce store to interact with the Stripe software to process orders seamlessly.
What is the Vulnerability in WooCommerce Stripe Plugin?
Security researchers at Patchstack discovered the vulnerability and responsibly disclosed it to the relevant parties.
According to security researchers at Patchstack:
“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.
This vulnerability allows any unauthenticated user to view any WooCommerce order’s PII data including email, user’s name, and full address.”
WooCommerce Stripe Plugin Versions Affected
The vulnerability affects versions prior to and including version 7.4.0.
Developers have since updated the plugin to version 7.4.1, which is the most secure version.
The security updates, according to the official plugin changelog, include:
- “Fix – Add Order Key Validation.”
- “Fix – Add sanitization and escaping of some outputs.”
Several issues required fixes.
The first issue involves a lack of validation, which generally ensures that a request is made by an authorized entity.
The next issue is sanitization, which involves blocking invalid inputs. For example, if an input accepts only text, it should be configured to prevent script uploads.
The changelog also mentions escaping outputs, which prevents unwanted and malicious inputs.
The non-profit security organization, Open Worldwide Application Security Project (OWASP), explains it this way:
“Encoding and escaping are defensive techniques meant to stop injection attacks.”
The official WordPress API handbook describes it as follows:
“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.
This process helps secure your data before rendering it for the end user.”
It is highly recommended that users of the plugin immediately update to version 7.4.1.
Read the Security Advisory at Patchstack:
Unauthenticated IDOR to PII Disclosure in WooCommerce Stripe Gateway Plugin
Featured image by Shutterstock/FedorAnisimov
