Back to KEVs

CVE-2023-3162

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This...

Basic Information

CVE State: PUBLISHED
Reserved Date: June 08, 2023
Published Date: August 31, 2023
Last Updated: October 01, 2024
Vendor: webtoffee
Product: Stripe Payment Plugin for WooCommerce
Description: The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 0.38% (Percentile: 58.37%) as of 2025-05-12

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2023-08-01 07:50:22 UTC) Source

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/4d052f3e-8554-43f0-a5ae-1de09c198d7b?source=cve https://plugins.trac.wordpress.org/browser/payment-gateway-stripe-and-woocommerce-integration/tags/3.7.7/includes/class-stripe-checkout.php#L640 https://plugins.trac.wordpress.org/changeset/2925361/payment-gateway-stripe-and-woocommerce-integration

Known Exploited Vulnerability Information

Source	Added Date
Wordfence	2023-08-01 07:50:22 UTC

Timeline

CVE ID Reserved

June 08, 2023
Added to KEVIntel

August 01, 2023
CVE Published to Public

August 31, 2023