A critical security vulnerability has been found out in the well-liked WooCommerce Stripe Gateway plugin, potentially exposing users’ personally identifiable data (PII).
The vulnerability, an unauthenticated insecure direct object reference (IDOR), impacts versions 7.4. and beneath of the plugin, which boasts around 900,000 energetic installations.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“This plugin is a WordPress plugin which permits you to acknowledge payments specifically on a retailer for web and cellular,” wrote security researcher Rafie Muhammad from Patchstack in an advisory posted on Tuesday.
“With the plugin, shoppers can continue to be in the keep all through checkout as a substitute of becoming redirected to an externally hosted checkout web site.”
Muhammad additional that the flaw could permit unauthenticated consumers to accessibility user information and facts associated with WooCommerce orders.
“This vulnerability lets any unauthenticated user to check out any WooCommnerce order’s PII information, including email, user’s title, and entire handle.”
Go through much more on WordPress plugins’ vulnerabilities: Crucial Addons Plugin Flaw Exposes A person Million WordPress Internet sites
From a complex standpoint, the vulnerability stems from insufficient validation of buy ownership and can be exploited by manipulating question parameters. By leveraging this flaw, attackers can extract PII facts by bypassing authentication controls.
In the Patchstack advisory, Muhammad mentioned the security business located and disclosed the flaw to WooCommerce on April 17 2023.
The plugin vendor then launched a patch to tackle the vulnerability on Might 30. WooCommerce Stripe Gateway edition 7.4.1 or subsequent variations must be set up quickly to mitigate the risk.
“If you’re a WooCommerce Stripe Gateway user, you should update the plugin to at the very least edition 7.4.1,” Muhammad stated.
Even with the patches, the security researcher warned web site homeowners and builders utilizing the WooCommerce Stripe Gateway plugin to remain vigilant and normally ascertain access regulate about get objects by checking the purchase critical and possession.
The WooCommerce patches come a pair of months just after the agency at the rear of the popular WordPress plugin Elementor up-to-date its products to repair a critical vulnerability that could be exploited to alter the visual appeal of sites.
Some elements of this post are sourced from:
www.infosecurity-journal.com