WordPress Plugin Vulnerabilities

Stripe Gateway < 7.6.1 - Cross-Site Request Forgery

Description

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 7.6.1 (exclusive). This is due to missing or incorrect nonce validation on the maybe_handle_redirect function. This makes it possible for unauthenticated attackers to change the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woocommerce-gateway-stripe
Fixed in 7.6.1

References

CVE
CVE-2023-44999
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e4ad8fa-b04c-4821-aadb-3120f824557f

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
40927caf-96b8-49a4-99e8-d343270bd5ae

Timeline

Publicly Published
2023-10-17 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2024-01-12 (about 2 years ago)

Other

Published
Title
Published
2022-01-05
Title
SupportCandy < 2.2.7 - Arbitrary Ticket Deletion via CSRF
Published
2025-04-17
Title
Social Media Links <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-12-24
Title
Spreadsheet Integration < 3.6.0 - CSRF Bypass
Published
2023-03-23
Title
GiveWP < 2.25.3 - Cross-Site Request Forgery
Published
2025-12-11
Title
Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update