Sensitive data leaks likely with critical WooCommerce Stripe Gateway plugin flaw

The Hacker News reports that exploitation of a critical security vulnerability in the WooCommerce Stripe Gateway plugin, which is used to permit various payment methods in WordPress-based e-commerce sites, could prompt sensitive data exposure. The plugin's unauthenticated insecure direct object references flaw, tracked as CVE-2023-34000, was caused by inadequate access control mechanism in its "payment_fields" and "javascript_params" functions, as well as improper order object management, according to Patchstack security researcher Rafie Muhammad. "This vulnerability allows any unauthenticated user to view any WooCommerce order's PII data including email, user's name, and full address," said Muhammad. Patches have already been distributed by WooCommerce last month as part of the plugin's version 7.4.1. Details regarding the security bug have been released after WordPress addressed five different vulnerabilities, three of which have been discovered in an audit by a third party. Among the patched flaws were an unauthenticated cross-site scripting vulnerability and an unauthenticated directory traversal vulnerability.