CVE-2023-4040
Stripe Payment Plugin for WooCommerce <= 3.7.9 - Missing Authorization to Arbitrary Order Status Modification
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9. This makes it possible for unauthenticated attackers to modify the order status of arbitrary WooCommerce orders.
El plugin Stripe Payment Plugin for WooCommerce para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en la función eh_callback_handler en versiones hasta 3.7.9 inclusive. Esto hace posible que atacantes no autenticados modifiquen el estado de pedidos arbitrarios de WooCommerce.
*Credits:
Francesco Carlucci
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-08-01 CVE Reserved
- 2023-08-17 CVE Published
- 2024-08-02 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.wordfence.com/threat-intel/vulnerabilities/id/ef543c61-2acc-4b72-81ff-883960d4c7c3?source=cve | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/2954934 | 2023-11-07 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Webtoffee Search vendor "Webtoffee" | Stripe Payment Plugin For Woocommerce Search vendor "Webtoffee" for product "Stripe Payment Plugin For Woocommerce" | < 3.8.0 Search vendor "Webtoffee" for product "Stripe Payment Plugin For Woocommerce" and version " < 3.8.0" | wordpress |
Affected
| ||||||