CVE-2023-34000 flaw in WooCommerce Stripe Gateway WordPress plugin may affect 900k sites
In the shifting landscape of cyberspace, the emergence of security vulnerabilities is an inevitable phenomenon. A critical flaw, now identified as CVE-2023-34000 with a CVSS score of 7.5, has been detected in the widely used WooCommerce Stripe Gateway Plugin, prompting an urgent call to action for security professionals and site administrators alike.
This plugin, developed by WooCommerce and currently employed in over 900,000 active installations, is renowned for its streamlined capability to process payments directly on web and mobile stores. An inherent feature of this plugin allows customers to complete transactions within the online store environment, negating the need for an externally hosted checkout page.
However, beneath the plugin’s surface functionality lurks an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. In its unpatched state, this flaw provides an unauthenticated user the opportunity to access highly sensitive Personally Identifiable Information (PII) of any WooCommerce order. This exposed data can include critical information such as a user’s name, email, and full residential address.
To address the CVE-2023-34000 vulnerability, WooCommerce has rolled out a fix in version 7.4.1 with certain backported versions. Given the potential severity of the issue, site administrators and security professionals are encouraged to expedite their patching processes.