Vulnerability In WooCommerce Stripe Payment Gateway Plugin Affects 900,000+ Websites

Wordpress
By Taylor Davis
Vulnerability In WooCommerce Stripe Payment Gateway Plugin Affects 900,000+ Websites
0
Vulnerability In WooCommerce Stripe Payment Gateway Plugin Affects 900,000+ Websites

The WooCommerce Stripe payment gateway plugin was discovered to have a vulnerability that allows an attacker to steal customer personally identifiable information (PII) from stores using the plugin.

Security researchers warn that hackers do not need authentication to pull off the exploit, which received a rating of high, 7.5 on a scale of 1 – 10.

WooCommerce Stripe Payment Gateway Plugin

The Stripe payment gateway plugin, developed by WooCommerce, Automattic, WooThemes and other contributors, is installed in over 900,000 websites.

It offers an easy way for customers at WooCommerce stores to checkout, with a number of different credit cards and without having to open an account.

A Stripe account is automatically created at checkout, providing customers with a frictionless ecommerce shopping experience.

The plugin works through an application programming interface (API ).

An API is like a bridge between two software that allows the WooCommerce store to interact with the Stripe software to process orders from the website to Stripe seamlessly.

What is the Vulnerability in WooCommerce Stripe Plugin?

Security researchers at Patchstack discovered the vulnerability and responsibly disclosed it to the relevant parties.

According to security researchers at Patchstack:

“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.

This vulnerability allows any unauthenticated user to view any WooCommerce order’s PII data including email, user’s name, and full address.”

WooCommerce Stripe Plugin Versions Affected

The vulnerability affects versions prior to and equal to version 7.4.0.

Developers associated with the plugin updated it to version 7.4.1, which is the most secure version.

These were the security updates made, according to the official plugin changelog:

  • “Fix – Add Order Key Validation.
  • Fix – Add sanitization and escaping some outputs.”

There are a couple issues that needed a fix.

The first appears to be a lack of validation, which in general is a check to validate if a request is by an authorized entity.

The next one is sanitization, which refers to a process of blocking any input that is not valid. For example, if an input allows only text then it should be set up in a way that prohibits scripts from being uploaded.

What the changelog mentions is escaping outputs, which is a way to block unwanted and malicious inputs.

The non-profit security organization, Open Worldwide Application Security Project (OWASP) explains it like this:

“Encoding and escaping are defensive techniques meant to stop injection attacks.”

The official WordPress API handbook explains it this way:

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.

This process helps secure your data prior to rendering it for the end user.”

It is highly recommended that users of the plugin immediately update their plugins to version 7.4.1

Read the Security Advisory at Patchstack:

Unauthenticated IDOR to PII Disclosure in WooCommerce Stripe Gateway Plugin

Featured image by Shutterstock/FedorAnisimov

if( typeof window.sopp != "undefined" && window.sopp === 'yes' ){ fbq('dataProcessingOptions', ['LDU'], 1, 1000); } console.log('load_px'); fbq('init', '1321385257908563');

fbq('init', '710012555858472' );

fbq('track', 'PageView');

fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'vulnerability-in-woocommerce-stripe-payment-gateway-plugin-affects-900000-websites', content_category: 'news wp' }); } });

FOLLOW US ON GOOGLE NEWS

 

Read original article here

Denial of responsibility! Search Engine Codex is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.

0
Taylor Davis 205 posts 0 comments
You might also like More from author
Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More