WebToffee’s Stripe Payment Plugin for WooCommerce WordPress plugin was found to have an Authentication Bypass vulnerability, affecting versions up to 3.7.7. This flaw allowed attackers to gain access to user accounts with orders, including customers and potentially higher-level users. The issue was responsibly disclosed to WebToffee, who promptly released a patch (version 3.7.8) on June 13, 2023.

Wordfence Premium, Care, and Response users received a firewall rule for protection on June 19, 2023, while free Wordfence users will receive the same protection on July 19, 2023.

We advise all users of the plugin to update to version 3.7.8 to safeguard their websites. The vulnerability has a high severity rating (CVSS Score: 9.8), and it was discovered and reported by Lana Codes.

The exploit allowed attackers to log in as users with orders, and the vulnerability could potentially affect higher-level users like shop managers or administrators who created test orders. The plugin had options for inline payments and checkout redirection, which led to the vulnerability.

The timeline of disclosure and response was as follows:

  • June 8, 2023: Discovery of the vulnerability
  • June 9, 2023: Contact initiated with the plugin vendor
  • June 13, 2023: Patch (version 3.7.8) released by WebToffee
  • June 19, 2023: Firewall rule for Wordfence Premium, Care, and Response users
  • July 19, 2023: Free Wordfence users received the same protection.

Users should ensure their sites are updated to the latest patched version to mitigate any potential risks. Sharing this information with others using the plugin can help ensure their site’s security as well.

For security researchers interested in responsible disclosure, they can submit findings to Wordfence Intelligence and possibly receive a CVE ID.

Source : Wordfence