Description

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.

Related CPE's

a

paymentplugins

stripe_for_woocommerce

*

*

*

*

*

wordpress

Vulnerable

References

https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php

PatchThird Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347

Third Party Advisory

https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php

PatchThird Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347

Third Party Advisory

Weaknesses

[email protected]

Secondary
CWE-862

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-10-04T16:15:09.433Z

4 years ago

Last modified

2024-11-21T05:19:22.160Z

1 year ago