WooCommerce Stripe Payment Gateway < 7.4.1 – Unauthenticated PII Disclosure via IDOR | CVE 2023-34000

Description

The plugin does not ensure that the order details to be displayed belongs to the user making the request, allows unauthenticated users to access sensitive information about the reorder details such as first/last names, email and address

Proof of Concept

As unauthenticated, see the source of https://example.com/?pay_for_order=true&order-pay=80 (80 being a valid order number)

Affects Plugins

woocommerce-gateway-stripe

Fixed in 7.4.1

References

CVE

CVE-2023-34000

URL

https://patchstack.com/articles/unauthenticated-idor-to-pii-disclosure-vulnerability-in-woocommerce-stripe-gateway-plugin

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-639

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

Yes

WPVDB ID

09ce3ade-80fc-438b-8976-852a273d7c53

Timeline

Publicly Published

2023-06-13 (about 2 years ago)

Added

2023-06-14 (about 2 years ago)

Last Updated

2023-06-14 (about 2 years ago)

Other

Published

Title

Published

2025-10-24

Title

Tutor LMS Pro < 3.9.0 - Subscriber+ Other Assignments Access/Edit via IDOR

Published

2024-08-20

Title

Zephyr Project Manager < 3.3.103 - Missing Authorization to Authenticated (Subscriber+) Status Updates

Published

2024-03-28

Title

ProfileGrid < 5.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2023-10-22

Title

wpDiscuz < 7.6.4 - Author+ IDOR

Published

2024-04-05

Title

Profile Builder < 3.11.3 - Restricted Email Bypass