If you’re running a WooCommerce store and using the Stripe Payment Gateway plugin for payments, there’s a security bug you need to know about — CVE-2023-44999. This vulnerability, classified as a Cross-Site Request Forgery (CSRF), impacts all plugin versions up to and including 7.6.. This post breaks down how the issue works, how attackers could exploit it, and what you need to do to protect your WooCommerce store.
What is CSRF?
CSRF stands for *Cross-Site Request Forgery*. It's a type of attack that tricks users into executing actions they didn’t intend to on websites where they have validated sessions (like being logged into your WordPress admin). For a quick overview, check OWASP’s CSRF page.
About WooCommerce Stripe Payment Gateway
WooCommerce’s Stripe Payment Gateway is a widely used plugin to take credit card payments on WooCommerce stores. Its popularity makes any security issue very serious.
Affected Plugin: WooCommerce Stripe Payment Gateway
- Impacted Versions: All versions from the beginning (N/A) up to and including 7.6.
Fixed Version: 7.6.1 and above
> Source:
> - WPScan Advisory
> - NVD NIST CVE-2023-44999 Entry
How Does the Vulnerability Work?
The flaw is pretty standard as far as CSRF bugs go. The plugin has certain admin endpoints (URLs) that allow users to change Stripe settings — things like API keys, webhook secrets, and so on. In affected versions, these endpoints did not require a CSRF token (also known as a “nonce” in WordPress).
This means a logged-in admin could be tricked into clicking a link or visiting a web page that submits a form in the background, changing Stripe settings without their consent.
Admin is logged into WordPress backend.
2. Attacker sends the admin a link to a malicious page (could be by email, social media, blog comment, etc.).
3. Malicious page contains a crafted HTML form or JavaScript that submits to the vulnerable endpoint inside the victim’s browser session.
4. Key Stripe settings are modified — attacker could set Stripe settings to their own keys, potentially stealing payments.
Example Exploit Code
Below is a simple form an attacker might use. (This is for learning/demo only — don’t use for harm!)
<!-- Malicious page example -->
<form action="https://targetsite.com/wp-admin/admin.php?page=wc-settings&tab=checkout§ion=stripe"; method="POST" style="display:none" id="csrfForm">
<input type="text" name="stripe_api_key" value="sk_live_maliciousKeyHere" />
<input type="text" name="stripe_webhook_secret" value="whsec_badguySecret" />
<input type="submit" />
</form>
<script>
// Automatically submit form when page loads
document.getElementById('csrfForm').submit();
</script>
If the admin (while logged in) visits this page, the form would get submitted in their session and could overwrite the Stripe keys.
Update to version 7.6.1 or later of the Stripe payment gateway plugin.
- See the fixed version on WordPress.org.
The patch simply added or improved nonce checks, requiring a valid WordPress security token on every settings change request. This blocks CSRF attacks.
How to Protect Your Store
1. Update the Plugin:
Go to your plugin dashboard and update *WooCommerce Stripe Payment Gateway* to version 7.6.1 or higher.
2. Review Your Stripe Settings:
After patching, double-check that your API keys/webhooks are set to your legitimate Stripe account.
3. Educate Your Admins:
Remind all admins to be careful with suspicious links and always keep their session secure.
References
- WPScan Advisory for CVE-2023-44999
- NVD NIST CVE page
- WooCommerce Stripe Changelog
Conclusion
CVE-2023-44999 shows why even popular, trusted plugins need constant vigilance. If you run WooCommerce and Stripe, patch now! Always keep plugins up to date and teach your users about best security practices.
Timeline
Published on: 03/27/2024 14:15:09 UTC
Last modified on: 03/27/2024 15:49:41 UTC