A critical security vulnerability has been found out in the preferred WooCommerce Stripe Gateway plugin, most likely exposing users’ personally identifiable information (PII).
The vulnerability, an unauthenticated insecure direct object reference (IDOR), has an effect on versions 7.4. and under of the plugin, which features around 900,000 active installations.
“This plugin is a WordPress plugin which lets you to accept payments instantly on a retail store for web and cell,” wrote security researcher Rafie Muhammad from Patchstack in an advisory printed on Tuesday.
“With the plugin, consumers can stay in the keep for the duration of checkout instead of becoming redirected to an externally hosted checkout web site.”
Muhammad added that the flaw could make it possible for unauthenticated end users to accessibility consumer information involved with WooCommerce orders.
“This vulnerability will allow any unauthenticated consumer to perspective any WooCommnerce order’s PII info, like email, user’s identify, and total deal with.”
Study far more on WordPress plugins’ vulnerabilities: Essential Addons Plugin Flaw Exposes One particular Million WordPress Internet sites
From a technical standpoint, the vulnerability stems from insufficient validation of purchase ownership and can be exploited by manipulating query parameters. By leveraging this flaw, attackers can extract PII info by bypassing authentication controls.
In the Patchstack advisory, Muhammad explained the security organization discovered and disclosed the flaw to WooCommerce on April 17 2023.
The plugin vendor then released a patch to deal with the vulnerability on May 30. WooCommerce Stripe Gateway model 7.4.1 or subsequent versions really should be put in instantly to mitigate the risk.
“If you are a WooCommerce Stripe Gateway person, remember to update the plugin to at least model 7.4.1,” Muhammad reported.
Inspite of the patches, the security researcher warned website house owners and developers applying the WooCommerce Stripe Gateway plugin to stay vigilant and usually verify entry management close to purchase objects by checking the buy key and possession.
The WooCommerce patches occur a pair of months immediately after the business driving the preferred WordPress plugin Elementor updated its product or service to fix a critical vulnerability that could be exploited to change the visual appearance of internet websites.
Some parts of this article are sourced from:
www.infosecurity-journal.com