Plateforme
wordpress
Composant
payment-gateway-stripe-and-woocommerce-integration
Corrigé dans
3.7.10
CVE-2024-0705 describes a critical SQL Injection vulnerability discovered in the Stripe Payment Plugin for WooCommerce WordPress plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data extraction. The vulnerability impacts versions up to and including 3.7.9. A patch is available, requiring users to upgrade to a secure version.
The SQL Injection vulnerability in the Stripe Payment Plugin for WooCommerce allows attackers to manipulate database queries. By injecting malicious SQL code through the 'id' parameter, an attacker can bypass security measures and directly access sensitive information stored within the WordPress database. This could include customer data (names, addresses, payment details), order information, and potentially even administrative credentials. Successful exploitation could lead to data breaches, financial fraud, and complete compromise of the WooCommerce store. The impact is particularly severe given the plugin's widespread use for processing payments, making it a prime target for malicious actors.
CVE-2024-0705 was publicly disclosed on January 19, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WooCommerce store owners utilizing the Stripe Payment Plugin, particularly those running versions prior to 3.7.9, are at significant risk. Shared hosting environments where multiple WordPress installations share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with legacy WordPress configurations or those that haven't implemented robust security practices are also at increased risk.
• wordpress / composer / npm:
grep -r "SELECT * FROM wp_". /var/www/html/wp-content/plugins/stripe-payment-plugin-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/?id='; DROP TABLE wp_users;--• wordpress / composer / npm:
wp plugin list --status=active | grep stripe-payment-plugin-for-woocommerce• wordpress / composer / npm:
wp plugin update stripe-payment-plugin-for-woocommercedisclosure
Statut de l'Exploit
EPSS
19.71% (percentile 95%)
Vecteur CVSS
The primary mitigation for CVE-2024-0705 is to immediately upgrade the Stripe Payment Plugin for WooCommerce to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter SQL injection attempts targeting the 'id' parameter can provide an additional layer of defense. Regularly review WordPress and plugin configurations for any unusual activity or suspicious modifications. After upgrading, confirm the fix by attempting a SQL injection payload through the 'id' parameter and verifying that it is properly sanitized.
Actualice el plugin Stripe Payment Plugin for WooCommerce a la última versión disponible. La versión 3.8.0 o superior corrige esta vulnerabilidad de inyección SQL.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-0705 is a critical SQL Injection vulnerability affecting the Stripe Payment Plugin for WooCommerce WordPress plugin, allowing attackers to extract sensitive data.
Yes, if you are using the Stripe Payment Plugin for WooCommerce version 3.7.9 or earlier, you are vulnerable to this SQL Injection attack.
Upgrade the Stripe Payment Plugin for WooCommerce to the latest version to patch the vulnerability. Consider disabling the plugin temporarily if upgrading is not immediately possible.
While no confirmed active exploitation campaigns are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Stripe Payment Plugin for WooCommerce website and WordPress plugin repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.