The plugin does not ensure that the order details to be displayed belongs to the user making the request, allows unauthenticated users to access sensitive information about the reorder details such as first/last names, email and address
As unauthenticated, see the source of https://example.com/?pay_for_order=true&order-pay;=80 (80 being a valid order number)
CPE | Name | Operator | Version |
---|---|---|---|
woocommerce-gateway-stripe | lt | 7.4.1 |