4.3
CVE-2021-39347
- EPSS 0.14%
- Veröffentlicht 04.10.2021 18:15:09
- Zuletzt bearbeitet 21.11.2024 06:19:22
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginStripe for WooCommerce 3.0.0 - 3.3.9 - Missing Authorization Controls to Financial Account Hijacking
The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.
Mögliche Gegenmaßnahme
Stripe for WooCommerce: Update to version 3.3.10, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Stripe for WooCommerce
Version
3.0.0-3.3.9
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Paymentplugins ≫ Stripe For Woocommerce SwPlatformwordpress Version >= 3.0.0 <= 3.3.9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.299 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:N
|
| security@wordfence.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.