The WooCommerce Stripe fee gateway plugin was found to have a vulnerability that enables an attacker to steal buyer personally identifiable info (PII) from shops utilizing the plugin.
Safety researchers warn that hackers don’t want authentication to tug off the exploit, which acquired a score of excessive, 7.5 on a scale of 1 – 10.
WooCommerce Stripe Cost Gateway Plugin
The Stripe fee gateway plugin, developed by WooCommerce, Automattic, WooThemes and different contributors, is put in in over 900,000 web sites.
It provides a straightforward method for patrons at WooCommerce shops to checkout, with various completely different bank cards and with out having to open an account.
A Stripe account is robotically created at checkout, offering clients with a frictionless ecommerce procuring expertise.
The plugin works via an utility programming interface (API ).
An API is sort of a bridge between two software program that enables the WooCommerce retailer to work together with the Stripe software program to course of orders from the web site to Stripe seamlessly.
What’s the Vulnerability in WooCommerce Stripe Plugin?
Safety researchers at Patchstack found the vulnerability and responsibly disclosed it to the related events.
In line with safety researchers at Patchstack:
“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.
This vulnerability permits any unauthenticated person to view any WooCommerce order’s PII knowledge together with e-mail, person’s identify, and full tackle.”
WooCommerce Stripe Plugin Variations Affected
The vulnerability impacts variations previous to and equal to model 7.4.0.
Builders related to the plugin up to date it to model 7.4.1, which is essentially the most safe model.
These have been the safety updates made, in accordance with the official plugin changelog:
- “Repair – Add Order Key Validation.
- Repair – Add sanitization and escaping some outputs.”
There are a pair points that wanted a repair.
The primary seems to be a scarcity of validation, which normally is a verify to validate if a request is by a licensed entity.
The following one is sanitization, which refers to a strategy of blocking any enter that isn’t legitimate. For instance, if an enter permits solely textual content then it must be arrange in a method that prohibits scripts from being uploaded.
What the changelog mentions is escaping outputs, which is a method to block undesirable and malicious inputs.
The non-profit safety group, Open Worldwide Software Safety Venture (OWASP) explains it like this:
“Encoding and escaping are defensive methods meant to cease injection assaults.”
The official WordPress API handbook explains it this way:
“Escaping output is the method of securing output knowledge by stripping out undesirable knowledge, like malformed HTML or script tags.
This course of helps safe your knowledge previous to rendering it for the tip person.”
It’s extremely really helpful that customers of the plugin instantly replace their plugins to model 7.4.1
Learn the Safety Advisory at Patchstack:
Featured picture by Shutterstock/FedorAnisimov