CVE-2021-39347

MEDIUM

Stripe for WooCommerce 3.0.0-3.3.9 - Missing Authorization in User Edit Save Function

Title source: llm
STIX 2.1

Description

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.

Scores

CVSS v3 4.3
EPSS 0.0065
EPSS Percentile 46.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
paymentplugins/stripe_for_woocommerce 3.0.0 - 3.3.9
Published Oct 04, 2021
Tracked Since Feb 18, 2026