Vulnerabilities and security researches forwoocommerce-gateway-stripe woocommerce-gateway-stripe

Jun 07, 2024

CVE, Research URL: CVE-2023-51502
Home page URL: Security reports for WooCommerce Stripe Payment Gateway
Application: WooCommerce Stripe Payment Gateway
Date: Jan 05, 2024
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1.
Affected versions: max 7.6.2.
Status: vulnerable

CVE, Research URL: CVE-2023-34000
Home page URL: Security reports for WooCommerce Stripe Payment Gateway
Application: WooCommerce Stripe Payment Gateway
Date: Jun 14, 2023
Research Description: Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions.
Affected versions: max 7.4.1.
Status: vulnerable

CVE, Research URL: CVE-2023-44999
Home page URL: Security reports for WooCommerce Stripe Payment Gateway
Application: WooCommerce Stripe Payment Gateway
Date: Mar 27, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0.
Affected versions: max 7.6.1.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-35049
Home page URL: Security reports for WooCommerce Stripe Payment Gateway
Application: WooCommerce Stripe Payment Gateway
Date: Jun 19, 2024
Research Description: Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0.
Affected versions: max 7.4.1.
Status: vulnerable

Jun 16, 2026

CVE, Research URL: a1aef5d00a17caff6e3316a98fe922109481691a
Home page URL: Security reports for WooCommerce Stripe Payment Gateway
Application: WooCommerce Stripe Payment Gateway
Date: Oct 17, 2023
Research Description: WooCommerce Stripe Payment Gateway [woocommerce-gateway-stripe] < 7.6.1 Stripe Gateway <= 7.6.0 - Cross-Site Request Forgery The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 7.6.1 (exclusive). This is due to missing or incorrect nonce validation on the maybe_handle_redirect function. This makes it possible for unauthenticated attackers to change the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 7.6.1.
Status: vulnerable

CVE, Research URL: CVE-2026-2381
Home page URL: Security reports for WooCommerce Stripe Payment Gateway
Application: WooCommerce Stripe Payment Gateway
Date: Jun 16, 2026
Research Description: The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
Affected versions: max 10.8.0.
Status: vulnerable