CVE-2023-3162: Stripe Payment Plugin for WooCommerce Authentication Bypass Flaw
A critical security vulnerability has been discovered in the Stripe Payment Plugin for WooCommerce that could allow an unauthenticated attacker to log in as any user who has placed an order. This vulnerability tracked as CVE-2023-3162, has a CVSS score of 9.8, making it a severe risk.
The Stripe Payment Plugin for WooCommerce has become an integral part of the digital retail infrastructure, enabling businesses to accept a variety of payment methods. From conventional credit and debit cards such as Mastercard, Visa, American Express, Discover, JCB, and Diners Club, to modern alternatives like Alipay, Apple Pay, Google Pay, SEPA, Klarna, Afterpay/Clearpay, Sofort, iDEAL, and WeChat Pay – all transactions are processed through the secure Stripe Payment Gateway.
The plugin’s value proposition is clear: seamless and secure transactions. Upon activation, it integrates Stripe checkout into the merchant’s online store, providing customers a secure avenue to complete their transactions with credit or debit cards. With over 10,000 active installations, this feature-rich plugin promises a frictionless payment experience. But beneath the smooth surface, a serious flaw lurks.
The CVE-2023-3162 vulnerability lies in the way the plugin handles user authentication during a Stripe checkout. The plugin does not properly verify the user being supplied, which allows an attacker to bypass authentication and login as any user who has placed an order.
If an attacker is able to exploit this vulnerability, they could gain access to any user account that has placed an order. This could include sensitive information such as credit card numbers, order history, and personal details.
In addition, the attacker could use the user’s account to make unauthorized purchases or to gain access to other sensitive areas of the site.
How to protect yourself
To protect yourself from this vulnerability, you should:
- Upgrade to the latest version of the Stripe Payment Plugin for WooCommerce (3.7.8 or higher).
- If you cannot upgrade immediately, you can disable the plugin until you have a chance to upgrade.
- Monitor your site for signs of unauthorized activity.
