Notification about security vulnerability but unsure of details

  • Resolved fotinos

    (@fotinos)


    1 year, 5 months ago

    Hi, a notification on my WordPress website dashboard stated that

    “Action required: Security update of WooCommerce Stripe plugin”.

    I have updated to version 7.4.1 since but could you share more information about the vulnerability? Is a site that only allows for guest purchases vulnerable to this?

    Thank you so much!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Douglas I. a11n

    (@imodouglas)

    Hi @fotinos, thank you for reaching out and for updating the latest version.

    I have updated to version 7.4.1 since but could you share more information about the vulnerability?

    We recently discovered a potential vulnerability in several WooCommerce extensions focused on payments and payment processing. We immediately started working on a patch for the impacted WooCommerce extensions and began efforts to contact merchants using the extensions that would benefit from such patches.?

    This vulnerability can permit unauthorized users to access some information about recent transactions (not credit card details), or possibly allowed for the creation of falsified shop transactions.

    Is a site that only allows for guest purchases vulnerable to this?

    Yes, even websites that allow only guest purchases are vulnerable.

    However, since you have updated to the latest version you do not have anything to worry about.

    Thread Starter fotinos

    (@fotinos)

    Thank you so much for the reply!

    Is there a way to know a little more about this?

    For example, what information about recent transactions and how do I know whether my store got affected?

    Again, thank you so much! Best,

    Plugin Support Douglas I. a11n

    (@imodouglas)

    Hi @fotinos

    Is there a way to know a little more about this? For example, what information about recent transactions and how do I know whether my store got affected?

    No credit card information can be accessed with this vulnerability, but email addresses, names, and other customer details.

    About knowing whether your store got affected, it will be good to know that at this time, we have no evidence that the vulnerability was exploited beyond identifying it in our own security testing program.

    Please note that WooCommerce can’t check on your behalf to see if your site has been compromised. If your shop is hosted on WordPress.com, Pressable, or another Automattic hosting service, then we’ve automatically deployed the patch to your shop.?

    For instructions to help check if your site has been compromised, please review this documentation.

    Sorry to interrupt.

    Hi @imodouglas

    Which version of the plugin is the vulnerability from? Also, when would the vulnerability be exploited (e.g. during payment processing)?

    Thank you in advance,

    Hi @shinagawa!

    This vulnerability has impacted all versions after 5.5.0.

    More information about this vulnerability can be found in this blog post.

    I hope this helps! ??

    Sorry to interrupt again.

    Hi?@cjgeh824 !

    Thank you for reply. I figured out more information in the blog post.

    Kind regards,

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Notification about security vulnerability but unsure of details’ is closed to new replies.