Stripe for WooCommerce Plugin up to 3.3.9 on WordPress Capability Check class-wc-stripe-admin-user-edit.php save authorization
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as critical has been discovered in Stripe for WooCommerce Plugin up to 3.3.9 on WordPress. The affected element is the function Save of the file ~/includes/admin/class-wc-stripe-admin-user-edit.php of the component Capability Check. Executing a manipulation can lead to authorization.
This vulnerability is tracked as CVE-2021-39347. The attack can be launched remotely. No exploit exists.
It is advisable to implement a patch to correct this issue.
Details
A vulnerability classified as critical was found in Stripe for WooCommerce Plugin up to 3.3.9 on WordPress (E-Commerce Management Software). This vulnerability affects the function save of the file ~/includes/admin/class-wc-stripe-admin-user-edit.php of the component Capability Check. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was disclosed 10/05/2021. The advisory is shared for download at wordfence.com. This vulnerability was named CVE-2021-39347 since 08/20/2021. There are known technical details, but no exploit is available.
By approaching the search of inurl:~/includes/admin/class-wc-stripe-admin-user-edit.php it is possible to find vulnerable targets with Google Hacking.
Applying a patch is able to eliminate this problem. The bugfix is ready for download at plugins.trac.wordpress.org.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 5.2
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 4.3
CNA Vector (Wordfence): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: AuthorizationCWE: CWE-862 / CWE-863 / CWE-285
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: plugins.trac.wordpress.org
Timeline
08/20/2021 🔍10/04/2021 🔍
10/05/2021 🔍
10/08/2021 🔍
Sources
Advisory: 2601162Status: Confirmed
CVE: CVE-2021-39347 (🔍)
GCVE (CVE): GCVE-0-2021-39347
GCVE (VulDB): GCVE-100-183772
Entry
Created: 10/05/2021 01:52Updated: 10/08/2021 17:16
Changes: 10/05/2021 01:52 (51), 10/08/2021 17:16 (2)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.