There is a vulnerability in the WooCommerce Stripe payment gateway plugin that allows unauthorized access to customer personally identifiable information (PII) from affected stores. The exploit has received a high rating of 7.5 out of 10 in terms of severity.
The Stripe payment gateway plugin, developed by WooCommerce, Automattic, WooThemes, and other contributors, is widely installed on over 900,000 websites. It offers customers an easy and seamless checkout experience without the need to open an account, supporting multiple credit cards. It works through an API that connects the WooCommerce store with Stripe for processing orders.
The vulnerability, discovered by security researchers at Patchstack, is an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. This flaw allows any unauthenticated user to access sensitive PII data from WooCommerce orders, including email addresses, names, and full addresses.
The affected versions of the WooCommerce Stripe plugin are those equal to or earlier than version 7.4.0. The developers promptly released version 7.4.1 to address the security issue. The update includes fixes for order key validation, sanitization, and output escaping to enhance the plugin’s security.
To mitigate the risk, it is strongly recommended that users of the WooCommerce Stripe payment gateway plugin update their installations to version 7.4.1 immediately.