The ever-changing topography of cyberspace always results in the introduction of new security flaws and vulnerabilities. A major vulnerability, which is now known as CVE-2023-34000 and has a CVSS score of 7.5, has been discovered in the WooCommerce Stripe Gateway Plugin, which has prompted an urgent call to action for both site administrators and security specialists. This plugin, which was built by WooCommerce and is presently being used in over 900,000 active installs, is well-known for its efficient capabilities to take payments directly on online and mobile businesses. Customers are able to finish their purchases without ever leaving the environment of the online shop thanks to an inherent feature of this plugin. This eliminates the need for an externally hosted checkout page.
Nevertheless, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability lies behind the pluginâs surface functionality. This vulnerability, in its unpatched condition, gives an unauthenticated user the potential to obtain extremely sensitive Personally Identifiable Information (PII) that is associated with any WooCommerce order. This data may contain sensitive information such as a userâs complete name, email address, and residence address in its exposed form.
Following the breadcrumb trail of this security hole leads to the âjavascript_paramsâ function that is located inside the plugin. The âorder_idâ variable is used by the code included inside this method in order to get an order object. This variable is derived from the query parameters, and it then gathers specific information from the order object, such as complete user details and addresses. Within this method, there is a noticeable lack of order ownership checks, which substantially increases the risk and makes it possible to return the âorderâ as an object. Experts made the discovery that the âpayment_scriptsâ function might be used to activate the âjavascript_paramsâ variable. This function then returns a JavaScript object variable to the front-end by way of the âwp_localize_scriptâ function. When a user visits the homepage of the website, the overall functionality causes the orderâs personally identifiable information to be disclosed, which is then mirrored back into the page source.
After further examination, a second occurrence of the vulnerability was found to be placed inside the âpayment_fieldsâ method. This vulnerability, like the one found in the âjavascript_paramsâ function, stems from the fact that there is no order ownership verification taking place. The result is the same: the front-end has access to both the userâs billing email address and their complete name.
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
InfoSec tools | InfoSec services | InfoSec books
