The ever-changing topography of cyberspace always results in the introduction of new security flaws and vulnerabilities. A major vulnerability, which is now known as CVE-2023-34000 and has a CVSS score of 7.5, has been discovered in the WooCommerce Stripe Gateway Plugin, which has prompted an urgent call to action for both site administrators and security specialists. This plugin, which was built by WooCommerce and is presently being used in over 900,000 active installs, is well-known for its efficient capabilities to take payments directly on online and mobile businesses. Customers are able to finish their purchases without ever leaving the environment of the online shop thanks to an inherent feature of this plugin. This eliminates the need for an externally hosted checkout page.
Nevertheless, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability lies behind the plugin’s surface functionality. This vulnerability, in its unpatched condition, gives an unauthenticated user the potential to obtain extremely sensitive Personally Identifiable Information (PII) that is associated with any WooCommerce order. This data may contain sensitive information such as a user’s complete name, email address, and residence address in its exposed form.
Following the breadcrumb trail of this security hole leads to the ‘javascript_params’ function that is located inside the plugin. The ‘order_id’ variable is used by the code included inside this method in order to get an order object. This variable is derived from the query parameters, and it then gathers specific information from the order object, such as complete user details and addresses. Within this method, there is a noticeable lack of order ownership checks, which substantially increases the risk and makes it possible to return the ‘order’ as an object. Experts made the discovery that the ‘payment_scripts’ function might be used to activate the ‘javascript_params’ variable. This function then returns a JavaScript object variable to the front-end by way of the ‘wp_localize_script’ function. When a user visits the homepage of the website, the overall functionality causes the order’s personally identifiable information to be disclosed, which is then mirrored back into the page source.
After further examination, a second occurrence of the vulnerability was found to be placed inside the ‘payment_fields’ method. This vulnerability, like the one found in the ‘javascript_params’ function, stems from the fact that there is no order ownership verification taking place. The result is the same: the front-end has access to both the user’s billing email address and their complete name.
WooCommerce has released an update for the CVE-2023-34000 vulnerability in version 7.4.1, and some older versions have also had the fix backported to them. In light of the potentially severe nature of the vulnerability, site administrators and security experts are strongly recommended to speed up the patching operations now in place.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.