A vulnerability has been discovered in the WooCommerce Stripe payment gateway plugin that could allow hackers to steal customer personally identifiable information (PII) from stores using the plugin. The vulnerability, which has been rated 7.5 on a scale of 1 to 10, allows hackers to steal PII without authentication.
The vulnerability was discovered by security researchers at Patchstack. According to the researchers, the vulnerability is caused by a lack of proper input validation in the plugin’s code. This allows hackers to craft malicious URLs that can be used to access sensitive customer data, such as email addresses, names, and addresses.
The vulnerability affects all versions of the WooCommerce Stripe payment gateway plugin prior to 7.4.1. WooCommerce has released a patch for the vulnerability, but it is important to note that not all users have updated to the latest version. As of June 16, 2023, over 55% of WooCommerce Stripe payment gateway plugin users are still using an outdated version that is vulnerable to this attack.
To protect your customers, it is important to update to the latest version of the WooCommerce Stripe payment gateway plugin as soon as possible. You can also take steps to mitigate the risk of this attack by implementing additional security measures, such as using a web application firewall (WAF) and strong passwords.
Here are some additional tips for protecting your customers from this vulnerability:
- Update to the latest version of the WooCommerce Stripe payment gateway plugin.
- Use a web application firewall (WAF) to block malicious traffic.
- Require strong passwords for all users.
- Educate your customers about phishing attacks and how to protect themselves.
By following these tips, you can help to protect your customers from this vulnerability and other potential attacks.
