Authentication Bypass in Stripe Payment Plugin for WooCommerce by WordPress
CVE-2023-3162

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Stripe Payment Plugin For WooCommerce
Vendor
CVE Published:
31 August 2023

Summary

The Stripe Payment Plugin for WooCommerce on WordPress is susceptible to an authentication bypass, allowing unauthenticated users to gain access to accounts that have active orders. This vulnerability stems from inadequate verification processes during user authentication in Stripe's checkout system via the plugin. Attackers can exploit this flaw to log in as legitimate users, potentially compromising sensitive information and affecting user security.

Affected Version(s)

Stripe Payment Plugin for WooCommerce * <= 3.7.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/payment-gatewa...
https://plugins.trac.wordpress.org/changeset/2925361/paym...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.