It was discovered that the WooCommerce Stripe payment gateway plugin had a vulnerability that could allow an attacker to steal personally identifiable information (PII) from a store’s customer via the plugin.
Security researchers warn that hackers do not need authentication to pull off the exploit, which received a high rating of 7.5 on a scale of 1 to 10.
WooCommerce Stripe Payment Gateway Plugin
The Stripe payment gateway plugin, developed by WooCommerce, Automattic, WooThemes and other partners, is installed on more than 900,000 websites.
It offers an easy way for customers of WooCommerce stores to pay, with several different credit cards and without having to open an account.
A Stripe account is automatically created upon purchase, providing customers with a frictionless e-commerce shopping experience.
The plugin works through an application programming interface (API).
An API is like a bridge between two pieces of software that allows the WooCommerce store to interact with the Stripe software to seamlessly process orders from the website to Stripe.
What is the WooCommerce Stripe plugin vulnerability?
Patchstack security researchers discovered the vulnerability and responsibly disclosed it to the relevant parties.
According to security researchers at Patchstack:
“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.
This vulnerability allows any unauthenticated user to view PII data from any WooCommerce order, including email, username, and full address.”
WooCommerce Stripe plugin versions affected
The vulnerability affects versions earlier and equal to version 7.4.0.
The developers associated with the plugin have updated it to version 7.4.1, which is the most secure version.
These were the security updates made, according to the official plugin change log:
“Fix: Add order key validation. Fix: Add sanitization and escape from some outputs.”
There are a couple of issues that needed fixing.
The first appears to be a lack of validation, which is generally a check to validate that a request is from an authorized entity.
Next is sanitization, which refers to a process of blocking any input that is not valid. For example, if an entry only allows text, it should be set to prohibit loading scripts.
What the changelog mentions is escaping exits, which is a way to block unwanted and malicious entries.
The non-profit security organization, Open Worldwide Application Security Project (OWASP) explains it like this:
“Encoding and escaping are defensive techniques intended to stop injection attacks.”
The official WordPress API manual explains it this way:
“Output escaping is the process of securing output data by removing unwanted data such as HTML tags or malformed script.
This process helps protect your data before rendering it to the end user.”
It is highly recommended that users of the plugin immediately update their plugins to version 7.4.1
Read the Security Notice on Patchstack:
Disclosure of IDOR to unauthenticated PII in the WooCommerce Stripe Gateway plugin
Featured image by Shutterstock/FedorAnisimov
[ad_2]
Source link
