CVE-2023-3162
🟠 Łataj w tym tygodniu
Obejście uwierzytelnienia w wtyczce Stripe Payment Plugin dla WooCommerce umożliwia logowanie jako użytkownik.
CVSS
9.8
EPSS
0.3%
Exploit
none
Vendor
webtoffee
Opis źródłowy (NVD)
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.
auth-bypass
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.3% |
| Opublikowano (NVD) | 2023-08-31 06:15:09 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 18:18:08 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/payment-gateway-stripe-and-woocommerce-integration/tags/3.7.7/includes/class-stripe-checkout.php#L640 (security@wordfence.com) [Patch]
- https://plugins.trac.wordpress.org/changeset/2925361/payment-gateway-stripe-and-woocommerce-integration (security@wordfence.com) [Patch]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4d052f3e-8554-43f0-a5ae-1de09c198d7b?source=cve (security@wordfence.com) [Third Party Advisory]