WordPress Plugin Vulnerabilities

Stripe Payment Plugin for WooCommerce < 3.7.8 - Authentication Bypass

Description

The plugin does not properly check users during the Stripe checkout process, which could allow unauthenticated attackers to log in as any users having placed an order when the Stripe checkout option is enabled

Affects Plugins

Plugin icon
payment-gateway-stripe-and-woocommerce-integration
Fixed in 3.7.8

References

CVE
CVE-2023-3162
URL
https://www.wordfence.com/blog/2023/08/webtoffee-addresses-authentication-bypass-vulnerability-in-stripe-payment-plugin-for-woocommerce-wordpress-plugin/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
37e84f3f-111f-4898-8741-6f5df66ba488

Timeline

Publicly Published
2023-08-01 (about 2 years ago)
Added
2023-08-02 (about 2 years ago)
Last Updated
2023-08-02 (about 2 years ago)

Other

Published
Title
Published
2024-09-24
Title
REST API TO MiniProgram < 4.7.6 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
Published
2025-11-11
Title
Payment Plugins Braintree For WooCommerce < 3.2.79 - Missing Authorization to Payment Token Exposure and Transaction Fraud
Published
2025-05-08
Title
WPBookit < 1.0.3 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Account Takeover
Published
2025-08-14
Title
Order Tip for WooCommerce < 1.5.5 - Unauthenticated Tip Manipulation to Negative Value Leading to Unauthorized Discounts
Published
2026-02-10
Title
Videospirecore Theme Plugin <= 1.0.6 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover