WordPress Plugin Vulnerabilities

Stripe For WooCommerce 3.0.0 - 3.3.9 - Missing Authorization Controls to Financial Account Hijacking

Description

The plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts

Affects Plugins

Plugin icon
woo-stripe-payment
Fixed in 3.3.10

References

CVE
CVE-2021-39347
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Margaux DABERT from Intrinsec
Verified
No
WPVDB ID
2ad058b7-e2f9-4754-85bb-be22253b4b75

Timeline

Publicly Published
2021-10-01 (about 4 years ago)
Added
2021-10-01 (about 4 years ago)
Last Updated
2022-04-15 (about 4 years ago)

Other

Published
Title
Published
2024-02-28
Title
Download Manager < 3.2.85 - Unauthenticated File Download
Published
2024-02-19
Title
Schema & Structured Data for WP & AMP < 1.27 - Contributor+ reCaptcha Key Update
Published
2024-01-24
Title
Views for WPForms < 3.2.3 - Missing Authorization via get_form_fields
Published
2024-09-06
Title
Cost Calculator Builder PRO < 3.2.2 - Unauthenticated Price Manipulation
Published
2026-02-16
Title
Zarinpal Gateway for WooCommerce < 5.0.17 - Improper Access Control to Payment Status Update