PT-2023-27432 · WordPress · Stripe Payment Plugin For Woocommerce

Francesco Carlucci

Published

2023-08-18

Updated

2023-08-23

CVE-2023-4040

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions The Stripe Payment Plugin for WooCommerce plugin for WordPress versions up to, and including, 3.7.9

Description The issue is related to unauthorized modification of data due to a missing capability check on the eh callback handler function. This allows unauthenticated attackers to modify the order status of arbitrary WooCommerce orders.

Recommendations For versions up to, and including, 3.7.9, update to a version higher than 3.7.9 to resolve the issue. As a temporary workaround, consider disabling the eh callback handler function until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2023-4040

Affected Products

Stripe Payment Plugin For Woocommerce

PT-2023-27432 · WordPress · Stripe Payment Plugin For Woocommerce

CVE-2023-4040

Related Identifiers

Affected Products

References · 7