Home Latest Cyber Security News | Network Security Hacking Stripe Payment Gateway Plugin Patched Serious IDOR Flaw

Stripe Payment Gateway Plugin Patched Serious IDOR Flaw

by Abeerah Hashim
Anti-Spam WordPress Plugin Vulnerabilities Risked 200K+ Websites

A critical security flaw in the WooCommerce plugin Stripe Payment Gateway risked users’ safety. Exploiting the vulnerability could allow an attacker to pilfer the payments directly from the platform and steal other sensitive information. The developers patched the bug and released the security fix with the subsequent plugin version, urging users to update.

Stripe Payment Gateway IDOR Flaw

According to a recent post from Patchstack, a severe security flaw existed in the Stripe Payment Gateway plugin, risking numerous online stores.

Stripe Payment Gateway is a popular WooCommerce plugin empowering online stores to manage payments directly from Stripe API. The plugin currently boasts over 900,000 active installs. That means any vulnerabilities in this plugin if exploited, could directly impact thousands of online stores globally.

Patchstack reported that the plugin API exhibited an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. The flaw typically existed due to the lack of proper control access on the javascript_params and payment_fields functions. Exploiting this vulnerability could let an unauthenticated attacker view and access any target users’ names, email addresses, complete addresses, and sensitive financial information.

This vulnerability affected all Stripe Payment Gateway versions before and including 7.4.0. Upon discovering the flaw, Patchstack reported the issue to the plugin developers in April 2023. Then, within a few days, the plugin team released the bug fix with the plugin version 7.4.1 on May 30, 2023.

After waiting for a couple of weeks for the latest plugin release to roll out, Patchstack has now published the details about their findings following the responsible vulnerability disclosure.

Now that the patch has been released, all WordPress admins running Stripe Payment Gateway plugin on their sites must update their stores with the latest plugin release as soon as possible. Such updates are always crucial for online store managers since any security breaches affecting their customers’ data not only impact their customers but also cause a major blow to the store’s credibility and customers’ trust.

Let us know your thoughts in the comments.

You may also like