Top WordPress ecommerce plugin has a major security flaw, so patch now

Craig Hale
·2 min read
WooCommerce
WooCommerce

WordPress users who have installed the WooCommerce Stripe Gateway Plugin are being urged to update to at least version 7.4.1 following the news of a major vulnerability potentially exposing users’ PII data.

The vulnerability, assigned CVE-2023-34000, relates to the free version of the WooCommerce Stripe Gateway plugin, specifically versions 7.4.0 and below. The popular ecommerce plugin has amassed more than 900,000 active installations, making the severity of the bug particularly alarming.

Because the plugin allows customers to process payments on their chosen business’s own WordPress page, rather than being diverted to an externally hosted page, the Stripe plugin has proven particularly popular.

Update Stripe WordPress plugin now

The cause for concern for CVE-2023-34000 is that any unauthenticated user has been able to access the PII data from any WooCommerce order, including email addresses, names, and full addresses.

Read more

> These are the best identity theft protection services around

> This old WordPress plugin is being used to hack compromised websites

> WordPress force installs update on 5 million sites following security worry

Credited with first finding the vulnerability, WordPress security service provider Patchstack notified the plugin vendor way back on April 17, but it wasn’t until just over six weeks later that version 7.4.1 was released to patch the issue.

The changelog for version 7.4.1 includes two entries: “Add Order Key Validation,” and “Add sanitization and escaping some outputs.”

Despite the security scare, the payment plugin remains a staple for many ecommerce businesses who choose WordPress, for its ability to process Visa, MasterCard, and American Express payments - including via Apple Pay - via Stripe’s API.

WooCommerce did not immediately respond to TechRadar Pro’s request for comment on the vulnerability which took several weeks to fix.