Patchstack is reporting an Insecure Direct Object References (IDOR) vulnerability in WooCommerce Stripe Gateway, the most popular WooCommerce Stripe payment plugin with more than 900,000 active users. It was discovered by Patchstack researcher Rafie Muhammad on April 17, 2023, and patched by WooCommerce on May 30, 2023, in version 7.4.1.

The security advisory describes the vulnerability as follows:

This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data including email, user’s name, and full address. The described vulnerability was fixed in version 7.4.1 with some backported fixed version and assigned CVE-2023-34000.

It was assigned a high severity CVSS 3.1 score of 7.5 and added to the Patchstack database on June 13.

The vulnerability affects versions 7.4.0 and below. Although the patch from WooCommerce has been available for two weeks, more than 55% of the plugin’s user base is running on versions older than 7.4 and it’s not clear how many 7.4.x users are on the latest version.

The WooCommerce Stripe Gateway plugin’s changelog for version 7.4.1 includes two short notes and doesn’t elaborate on the severity of the security update:

• Fix – Add Order Key Validation.
• Fix – Add sanitization and escaping some outputs.

Patchstack’s security advisory includes more technical details about underlying vulnerabilities fixed in this update. It is not yet known to have been exploited but store owners are encouraged to update to the latest 7.4.1 version as soon as possible.