CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43315 – WordPress Stripe Payments For WooCommerce plugin <= 1.9.1 - Insecure Direct Object References (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2024-43315
Authorization Bypass Through User-Controlled Key vulnerability in Checkout Plugins Stripe Payments For WooCommerce by Checkout.This issue affects Stripe Payments For WooCommerce by Checkout: from n/a through 1.9.1. The Stripe Payments For WooCommerce by Checkout Plugins plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.1 via the verify_intent() due to missing validation on the 'order' user controlled key. This makes it possible for unauthenticated attackers to access orders that do not belong to them. • https://patchstack.com/database/vulnerability/checkout-plugins-stripe-woo/wordpress-stripe-payments-for-woocommerce-plugin-1-9-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43316 – WordPress Stripe Payments For WooCommerce plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-43316
Cross-Site Request Forgery (CSRF) vulnerability in Checkout Plugins Stripe Payments For WooCommerce by Checkout.This issue affects Stripe Payments For WooCommerce by Checkout: from n/a through 1.9.1. The Stripe Payments For WooCommerce by Checkout plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.1. This is due to missing or incorrect nonce validation on the verify_intent() function. This makes it possible for unauthenticated attackers to confirm orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/checkout-plugins-stripe-woo/wordpress-stripe-payments-for-woocommerce-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •