The WooCommerce Stripe payment gateway plugin was discovered to have a vulnerability that allows an attacker to steal customer personally identifiable information (PII) from stores using the plugin.
Security researchers warn that hackers do not need authentication to pull off the exploit, which received a rating of high, 7.5 on a scale of 1 – 10.
WooCommerce Stripe Payment Gateway Plugin
The Stripe payment gateway plugin, developed by WooCommerce, Automattic, WooThemes and other contributors, is installed in over 900,000 websites.
It offers an easy way for customers at WooCommerce stores to checkout, with a number of different credit cards and without having to open an account.
A Stripe account is automatically created at checkout, providing customers with a frictionless ecommerce shopping experience.
The plugin works through an application programming interface (API ).
An API is like a bridge between two software that allows the WooCommerce store to interact with the Stripe software to process orders from the website to Stripe seamlessly.
What is the Vulnerability in WooCommerce Stripe Plugin?
Security researchers at Patchstack discovered the vulnerability and responsibly disclosed it to the relevant parties.
According to security researchers at Patchstack:
“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.
This vulnerability allows any unauthenticated user to view any WooCommerce order’s PII data including email, user’s name, and full address.”
WooCommerce Stripe Plugin Versions Affected
The vulnerability affects versions prior to and equal to version 7.4.0.
Developers associated with the plugin updated it to version 7.4.1, which is the most secure version.
These were the security updates made, according to the official plugin changelog:
- “Fix – Add Order Key Validation.
- Fix – Add sanitization and escaping some outputs.”
There are a couple issues that needed a fix.
The first appears to be a lack of validation, which in general is a check to validate if a request is by an authorized entity.
The next one is sanitization, which refers to a process of blocking any input that is not valid. For example, if an input allows only text then it should be set up in a way that prohibits scripts from being uploaded.
What the changelog mentions is escaping outputs, which is a way to block unwanted and malicious inputs.
The non-profit security organization, Open Worldwide Application Security Project (OWASP) explains it like this:
“Encoding and escaping are defensive techniques meant to stop injection attacks.”
The official WordPress API handbook explains it this way:
“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.
This process helps secure your data prior to rendering it for the end user.”
It is highly recommended that users of the plugin immediately update their plugins to version 7.4.1
Read the Security Advisory at Patchstack:
Unauthenticated IDOR to PII Disclosure in WooCommerce Stripe Gateway Plugin
Featured image by Shutterstock/FedorAnisimov