CVE-2023-3162

CRITICAL

Stripe Payment Plugin for WooCommerce <3.7.7 - Auth Bypass

Title source: llm

Description

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.

References (3)

Core 3

Core References

Patch

https://plugins.trac.wordpress.org/browser/payment-gateway-stripe-and-woocommerce-integration/tags/3.7.7/includes/class-stripe-checkout.php#L640

Patch

https://plugins.trac.wordpress.org/changeset/2925361/payment-gateway-stripe-and-woocommerce-integration

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/4d052f3e-8554-43f0-a5ae-1de09c198d7b?source=cve

Scores

CVSS v3 9.8

EPSS 0.0097

EPSS Percentile 57.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-288

Status published

Products (2)

themehigh/Payment Gateway of Stripe for WooCommerce < 3.7.7

webtoffee/stripe_payment_plugin_for_woocommerce < 3.7.7

Published Aug 31, 2023

Tracked Since Feb 18, 2026