WordPress Plugin Vulnerabilities

WooCommerce Stripe Payment Gateway < 7.6.2 - Unauthenticated Order Deletion via IDOR

Description

The plugin doe snot properly check for ownership of completed/pending orders, allowing unauthenticated users to put such order in the trash and delete them

Affects Plugins

Plugin icon
woocommerce-gateway-stripe
Fixed in 7.6.2

References

CVE
CVE-2023-51502
URL
https://patchstack.com/database/vulnerability/woocommerce-gateway-stripe/wordpress-woocommerce-stripe-gateway-plugin-7-6-1-unauthenticated-insecure-direct-object-references-idor-vulnerability

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
67e4e4ab-5c46-4c46-a9d4-0baf8d49871b

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
JS Job Manager <= 2.0.2 - Authenticated Insecure Direct Object Reference
Published
2025-07-31
Title
Service Finder Bookings < 6.1 - Authentication Bypass via User Switch Cookie
Published
2024-10-30
Title
Forminator Forms < 1.36.1 - Unauthenticated Arbitrary Quiz Submissions Update
Published
2021-07-27
Title
uListing < 2.0.6 - Authenticated IDOR
Published
2024-12-02
Title
WPCasa < 1.3.0 - Insecure Direct Object Reference