Vulnerability Details CVE-2021-39347
The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 34.1%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347
- https://plugins.trac.wordpress.org/changeset/2601162/woo-stripe-payment/trunk/includes/admin/class-wc-stripe-admin-user-edit.php
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39347
Products affected by CVE-2021-39347
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.0
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.1
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.10
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.2
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.3
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.4
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.5
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.6
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.7
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.8
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.0.9
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.0
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.1
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.2
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.3
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.4
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.5
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.6
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.7
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.8
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.1.9
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.0
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.1
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.10
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.11
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.12
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.13
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.14
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.15
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.2
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.3
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.4
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.5
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.6
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.7
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.8
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.2.9
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.0
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.1
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.2
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.3
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.4
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.5
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.6
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.7
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.8
-
cpe:2.3:a:paymentplugins:stripe_for_woocommerce:3.3.9