CVE-2026-45217

Payment Gateway of Stripe for WooCommerce <= 5.0.7 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.0.8
Patched in
8d
Time to patch

Description

The Payment Gateway of Stripe for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.0.7
PublishedMay 12, 2026
Last updatedMay 19, 2026

What Changed in the Fix

Changes introduced in v5.0.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-45217 ## 1. Vulnerability Summary The **Payment Gateway of Stripe for WooCommerce** plugin (up to 5.0.7) contains a missing authorization vulnerability. This flaw exists because a specific function, registered as an AJAX action, fails to perform a capability …

Show full research plan

Exploitation Research Plan - CVE-2026-45217

1. Vulnerability Summary

The Payment Gateway of Stripe for WooCommerce plugin (up to 5.0.7) contains a missing authorization vulnerability. This flaw exists because a specific function, registered as an AJAX action, fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated attackers to trigger sensitive operations, likely related to plugin configuration or order state modification, by sending a request to admin-ajax.php.

Given the CVSS score of 5.3 (Integrity: Low), the vulnerability likely allows modifying non-critical settings (like toggling debug logs) or performing actions like disconnecting the Stripe account, which disrupts service but doesn't necessarily lead to full site takeover.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: Likely eh_stripe_save_settings, eh_stripe_disconnect_account, or eh_stripe_clear_log (inferred from common WebToffee/Eh plugin patterns).
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. Some actions may require a valid WordPress nonce, though unauthenticated AJAX (wp_ajax_nopriv_) often lacks them or exposes them on the frontend.

3. Code Flow

  1. Entry Point: The plugin registers AJAX handlers during the init or plugins_loaded hook.
  2. Registration: add_action( 'wp_ajax_nopriv_[ACTION_NAME]', 'callback_function' ).
  3. The Sink: The callback_function performs an action such as update_option() or interacts with the Stripe API without verifying if the requester has administrative privileges.
  4. Vulnerable Path:
    • Client sends POST request to admin-ajax.php with action=[ACTION_NAME].
    • WordPress executes the registered callback.
    • The callback executes privileged logic without checking current_user_can().

4. Nonce Acquisition Strategy

The provided JS files (eh-affirm.js, eh-becs.js, etc.) show that the plugin localizes several data objects. If a nonce is required for the vulnerable AJAX action, it is likely contained within one of these objects.

Strategy:

  1. Identify the Trigger: The scripts are typically enqueued on the WooCommerce Checkout page or the "Add Payment Method" page.
  2. Setup:
    • Ensure WooCommerce is installed and a product exists.
    • Add a product to the cart and navigate to the checkout page.
  3. Extraction:
    • Use browser_navigate to go to the checkout page.
    • Use browser_eval to extract the localized data.
    • Target Variables (from source):
      • eh_affirm_val
      • eh_afterpay_val
      • eh_alipay_val
      • eh_bancontact_val
      • eh_becs_val
      • eh_boleto_val
      • eh_stripe_checkout_params (from eh-checkout.js)
  4. Command:
    browser_eval("window.eh_affirm_val?.nonce || window.eh_stripe_checkout_params?.nonce")

Note: If wp_ajax_nopriv_ is used, the developer may have omitted the nonce check entirely, or used a generic nonce like wp_rest.

5. Exploitation Strategy

The agent will first confirm the vulnerable handler by searching the PHP source.

Step 1: Locate the Vulnerable Handler

Search the plugin directory for unauthenticated AJAX registrations:
grep -rn "wp_ajax_nopriv_" wp-content/plugins/payment-gateway-stripe-and-woocommerce-integration/

Step 2: Analyze the Callback

Examine the function associated with the nopriv action. Look for:

  • Lack of current_user_can()
  • Use of update_option()
  • Use of delete_option()
  • Sensitive Stripe API calls (e.g., account->delete())

Step 3: Craft Payload

Assuming the action is eh_stripe_disconnect_account (a common "I:L" vulnerability):

  • URL: http://[TARGET]/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=eh_stripe_disconnect_account&nonce=[EXTRACTED_NONCE]

Step 4: Execute via http_request

// Example using Playwright tool
await http_request({
  url: "http://localhost:8080/wp-admin/admin-ajax.php",
  method: "POST",
  body: "action=eh_stripe_disconnect_account&nonce=" + extractedNonce,
  headers: { "Content-Type": "application/x-www-form-urlencoded" }
});

6. Test Data Setup

  1. Install Plugin: Ensure payment-gateway-stripe-and-woocommerce-integration version 5.0.7 is installed.
  2. Configure Stripe: Add dummy API keys in the plugin settings to provide "state" that can be modified.
  3. WooCommerce Setup:
    • Create a test product: wp post create --post_type=product --post_title='Test' --post_status=publish.
    • Enable the "Stripe" payment gateway in WooCommerce settings.
  4. Nonce Page: Create a page with the [woocommerce_checkout] shortcode if not already present.

7. Expected Results

  • Response: The server returns a 200 OK or a JSON success message (e.g., {"success": true}).
  • Effect: The plugin settings are altered. For example, the Stripe API keys are cleared or the "Connection Status" in the plugin dashboard changes to "Disconnected".

8. Verification Steps

After the HTTP request, use WP-CLI to check the database state:

  • Check Options: wp option get eh_stripe_settings
  • Check Connection Status: wp option get eh_stripe_account_id (or similar keys found during the search).
  • If the option is cleared or changed to a default/malicious value, the exploit is confirmed.

9. Alternative Approaches

  • Settings Injection: If the vulnerable function is eh_stripe_save_settings, attempt to overwrite the publishable_key with an attacker-controlled key to intercept future payment intents.
  • Log Exposure/Clearing: Check for eh_stripe_clear_log or eh_stripe_get_log which could be used to hide tracks or potentially leak transaction metadata (though CVSS 5.3 C:N suggests focus is on Integrity).
  • Order Manipulation: Look for actions that take an order_id and change status (e.g., eh_stripe_update_order_status).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Payment Gateway of Stripe for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function registered as an AJAX action. This allows unauthenticated attackers to perform sensitive administrative operations, such as modifying plugin settings or disconnecting the Stripe account connection.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.7/assets/css/eh-style.css /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.8/assets/css/eh-style.css
--- /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.7/assets/css/eh-style.css	2026-01-06 03:11:06.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.8/assets/css/eh-style.css	2026-05-04 21:15:36.000000000 +0000
@@ -48,3 +48,33 @@
 #eh-stripe-payment-request-button{
     padding: 20px 0;
 }
+
+.we-chat-overlay{
+    position:fixed;
+    top:0;
+    left:0;
+    width:100%;
+    height:100%;
+    background: rgba(0,0,0,0.5);
+    display:flex;
+    align-items:center;
+    justify-content:center;
+    z-index:9999;
+}
+
+#eh-wechat-qr{
+    background:#fff;
+    padding:20px;
+    border-radius:8px;
+    text-align:center;
+    display: flex;
+    align-items: center;
+    flex-direction: column;
+    justify-content: center;
+}
+
+#eh-wechat-message{
+    margin-bottom:15px;
+    font-weight:600;
+    color:#333;
+}
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.7/assets/js/eh-affirm.js /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.8/assets/js/eh-affirm.js
--- /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.7/assets/js/eh-affirm.js	2026-01-06 03:11:06.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/payment-gateway-stripe-and-woocommerce-integration/5.0.8/assets/js/eh-affirm.js	2026-05-04 21:15:36.000000000 +0000
@@ -3,7 +3,8 @@
     
 
 try {
-    var stripe = Stripe( eh_affirm_val.key, {apiVersion: eh_affirm_val.version} );
+    //var stripe = Stripe( eh_affirm_val.key, {apiVersion: eh_affirm_val.version} );
+    var stripe = Stripe( eh_affirm_val.key );
 } catch( error ) {
     console.log( error );
     return;
... (truncated)

Exploit Outline

1. Identify the targeted AJAX handler that lacks authorization checks, such as 'eh_stripe_disconnect_account' or 'eh_stripe_save_settings'. 2. Navigate to a public page (e.g., the WooCommerce checkout page) to find localized JavaScript objects like 'eh_stripe_checkout_params' or 'eh_payment_request_params'. 3. Extract the required security nonce from these localized objects (e.g., 'window.eh_stripe_checkout_params.nonce'). 4. Craft a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to the vulnerable callback and the extracted nonce in the request body. 5. Execute the request to perform unauthorized administrative actions, such as clearing plugin logs or resetting the Stripe API connection.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.