what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Stripe Payment Plugin For WooCommerce 3.7.7 Authentication Bypass

WordPress Stripe Payment Plugin For WooCommerce 3.7.7 Authentication Bypass
Posted Aug 1, 2023
Authored by Lana Codes | Site wordfence.com

WordPress Stripe Payment Plugin for WooCommerce plugin versions 3.7.7 and below suffer from an authentication bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2023-3162
SHA-256 | 263a956ca459f42b4b70546f48ac6fceb289d765a400737df8fed883d25f9594

WordPress Stripe Payment Plugin For WooCommerce 3.7.7 Authentication Bypass

Change Mirror Download
Affected Plugin: Stripe Payment Plugin for WooCommerce

Plugin Slug: payment-gateway-stripe-and-woocommerce-integration

Affected Versions: <= 3.7.7

CVE ID: CVE-2023-3162

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Lana Codes

Fully Patched Version: 3.7.8

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.

Technical Analysis

The Stripe Payment Plugin for WooCommerce, according to its settings, integrates various Stripe payment methods. By default, the plugin provides inline payments, which means that customers can complete their transactions directly on the WordPress website without being redirected to the Stripe website.

However, the plugin also provides an option for checkout redirection. This means that customers can choose to be redirected to the Stripe website to complete their payment process. This allows them to have a familiar and secure payment experience on the Stripe platform. To enable the checkout redirection option, you would need to configure the plugin settings accordingly.

Examining the code reveals that Stripe Checkout has an order cancellation link. If the customer cancels the payment, they will be returned to the WordPress website.

[VIEW THIS CODE SNIPPET ON THE BLOG]

The vulnerable 'eh_spg_stripe_cancel_order' function

If the link contains the ‘createaccount’ parameter and its value is ‘true’, the plugin will log the customer in based on the order id, without any authentication. This means that it is possible to create a link that automatically logs into any user account associated with an order.

An attacker is limited to what users they can log in as due to the fact that it is only possible to login as a user with an order. Considering the requirement of an order, in most cases an attacker will only be able to log in as a customer-level user. However, it is common for shop managers or administrators to create test orders in order to verify order functionality. In these cases there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account.

The normal order process looks like this:

woo-stripe-checkout-howto-wordfence

The exploit process looks like this:

woo-stripe-checkout-exploit-howto-wordfence

Disclosure Timeline

June 8, 2023 – Discovery of the Authentication Bypass vulnerability in Stripe Payment Plugin for WooCommerce.

June 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.

June 9, 2023 – The vendor confirms the inbox for handling the discussion.

June 9, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

June 13, 2023 – A fully patched version of the plugin, 3.7.8, is released.

June 19, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. Note that we delayed the firewall rule to prevent completely breaking the plugin’s core functionality as it was not being actively exploited.

July 19, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we have detailed an Authentication Bypass vulnerability within the Stripe Payment Plugin for WooCommerce plugin affecting versions 3.7.7 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to the accounts of users who have orders. The vulnerability has been fully addressed in version 3.7.8 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Stripe Payment Plugin for WooCommerce.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 19, 2023. Sites still using the free version of Wordfence will receive the same protection on July 19, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close