// For flags

CVE-2023-34000

WordPress WooCommerce Stripe Payment Gateway Plugin <= 7.4.0 is vulnerable to Insecure Direct Object References (IDOR)

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions.

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 7.4.0. This is due to insufficient validation in the payment_fields() and javascript_params () functions that do not properly validate order ownership. This makes it possible for unauthenticated attackers to retrieve potentially sensitive data for orders other than their own.

*Credits: Rafie Muhammad (Patchstack)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-05-25 CVE Reserved
  • 2023-06-13 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-11-24 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
  • CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Woocommerce
Search vendor "Woocommerce"
 Stripe Payment Gateway
Search vendor "Woocommerce" for product "Stripe Payment Gateway"
 < 7.4.1
Search vendor "Woocommerce" for product "Stripe Payment Gateway" and version " < 7.4.1"
wordpress
Affected