PII Exposed: Unauthenticated IDOR in WooCommerce Stripe Plugin

Written by

A critical security vulnerability has been discovered in the popular WooCommerce Stripe Gateway plugin, potentially exposing users’ personally identifiable information (PII). 

The vulnerability, an unauthenticated insecure direct object reference (IDOR), affects versions 7.4.0 and below of the plugin, which boasts over 900,000 active installations.

“This plugin is a WordPress plugin which allows you to accept payments directly on a store for web and mobile,” wrote security researcher Rafie Muhammad from Patchstack in an advisory published on Tuesday.

“With the plugin, customers can stay in the store during checkout instead of being redirected to an externally hosted checkout page.”

Muhammad added that the flaw could allow unauthenticated users to access user information associated with WooCommerce orders.

“This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data, including email, user’s name, and full address.”

Read more on WordPress plugins' vulnerabilities: Essential Addons Plugin Flaw Exposes One Million WordPress Websites

From a technical standpoint, the vulnerability stems from inadequate validation of order ownership and can be exploited by manipulating query parameters. By leveraging this flaw, attackers can extract PII data by bypassing authentication controls.

In the Patchstack advisory, Muhammad said the security firm found and disclosed the flaw to WooCommerce on April 17 2023.

The plugin vendor then released a patch to address the vulnerability on May 30. WooCommerce Stripe Gateway version 7.4.1 or subsequent versions should be installed immediately to mitigate the risk.

“If you’re a WooCommerce Stripe Gateway user, please update the plugin to at least version 7.4.1,” Muhammad said.

Despite the patches, the security researcher warned website owners and developers using the WooCommerce Stripe Gateway plugin to stay vigilant and always ascertain access control around order objects by checking the order key and ownership.

The WooCommerce patches come a couple of months after the firm behind the popular WordPress plugin Elementor updated its product to fix a critical vulnerability that could be exploited to change the appearance of websites.

What’s hot on Infosecurity Magazine?