<\/p>\n
It was discovered that the WooCommerce Stripe payment gateway plugin had a vulnerability that could allow an attacker to steal personally identifiable information (PII) from a store’s customer via the plugin.<\/p>\n
Security researchers warn that hackers do not need authentication to pull off the exploit, which received a high rating of 7.5 on a scale of 1 to 10.<\/p>\n
The Stripe payment gateway plugin, developed by WooCommerce, Automattic, WooThemes and other partners, is installed on more than 900,000 websites.<\/p>\n
It offers an easy way for customers of WooCommerce stores to pay, with several different credit cards and without having to open an account.<\/p>\n
A Stripe account is automatically created upon purchase, providing customers with a frictionless e-commerce shopping experience.<\/p>\n
The plugin works through an application programming interface (API).<\/p>\n
An API is like a bridge between two pieces of software that allows the WooCommerce store to interact with the Stripe software to seamlessly process orders from the website to Stripe.<\/p>\n
Patchstack security researchers discovered the vulnerability and responsibly disclosed it to the relevant parties.<\/p>\n
According to security researchers at Patchstack:<\/strong><\/p>\n “This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.<\/p>\n This vulnerability allows any unauthenticated user to view PII data from any WooCommerce order, including email, username, and full address.”<\/p>\n The vulnerability affects versions earlier and equal to version 7.4.0.<\/p>\n The developers associated with the plugin have updated it to version 7.4.1, which is the most secure version.<\/p>\n These were the security updates made, according to the official plugin change log<\/a>:<\/strong><\/p>\n “Fix: Add order key validation. Fix: Add sanitization and escape from some outputs.”<\/p>\n There are a couple of issues that needed fixing.<\/p>\n The first appears to be a lack of validation, which is generally a check to validate that a request is from an authorized entity.<\/p>\n Next is sanitization, which refers to a process of blocking any input that is not valid. For example, if an entry only allows text, it should be set to prohibit loading scripts.<\/p>\n What the changelog mentions is escaping exits, which is a way to block unwanted and malicious entries.<\/p>\n The non-profit security organization, Open Worldwide Application Security Project (OWASP) explains it like this<\/a>:<\/strong><\/p>\n “Encoding and escaping are defensive techniques intended to stop injection attacks.”<\/p>\n The official WordPress API manual explains it this way<\/a>:<\/strong><\/p>\n “Output escaping is the process of securing output data by removing unwanted data such as HTML tags or malformed script.<\/p>\n This process helps protect your data before rendering it to the end user.”<\/p>\n It is highly recommended that users of the plugin immediately update their plugins to version 7.4.1<\/p>\n Read the Security Notice on Patchstack:<\/strong><\/p>\nWooCommerce Stripe plugin versions affected<\/h2>\n