Payment Gateway of Stripe for WooCommerce <= 5.0.7 - Missing Authorization
Description
The Payment Gateway of Stripe for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.0.7What Changed in the Fix
Changes introduced in v5.0.8
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-45217 ## 1. Vulnerability Summary The **Payment Gateway of Stripe for WooCommerce** plugin (up to 5.0.7) contains a missing authorization vulnerability. This flaw exists because a specific function, registered as an AJAX action, fails to perform a capability …
Show full research plan
Exploitation Research Plan - CVE-2026-45217
1. Vulnerability Summary
The Payment Gateway of Stripe for WooCommerce plugin (up to 5.0.7) contains a missing authorization vulnerability. This flaw exists because a specific function, registered as an AJAX action, fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated attackers to trigger sensitive operations, likely related to plugin configuration or order state modification, by sending a request to admin-ajax.php.
Given the CVSS score of 5.3 (Integrity: Low), the vulnerability likely allows modifying non-critical settings (like toggling debug logs) or performing actions like disconnecting the Stripe account, which disrupts service but doesn't necessarily lead to full site takeover.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action: Likely
eh_stripe_save_settings,eh_stripe_disconnect_account, oreh_stripe_clear_log(inferred from common WebToffee/Eh plugin patterns). - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. Some actions may require a valid WordPress nonce, though unauthenticated AJAX (
wp_ajax_nopriv_) often lacks them or exposes them on the frontend.
3. Code Flow
- Entry Point: The plugin registers AJAX handlers during the
initorplugins_loadedhook. - Registration:
add_action( 'wp_ajax_nopriv_[ACTION_NAME]', 'callback_function' ). - The Sink: The
callback_functionperforms an action such asupdate_option()or interacts with the Stripe API without verifying if the requester has administrative privileges. - Vulnerable Path:
- Client sends POST request to
admin-ajax.phpwithaction=[ACTION_NAME]. - WordPress executes the registered callback.
- The callback executes privileged logic without checking
current_user_can().
- Client sends POST request to
4. Nonce Acquisition Strategy
The provided JS files (eh-affirm.js, eh-becs.js, etc.) show that the plugin localizes several data objects. If a nonce is required for the vulnerable AJAX action, it is likely contained within one of these objects.
Strategy:
- Identify the Trigger: The scripts are typically enqueued on the WooCommerce Checkout page or the "Add Payment Method" page.
- Setup:
- Ensure WooCommerce is installed and a product exists.
- Add a product to the cart and navigate to the checkout page.
- Extraction:
- Use
browser_navigateto go to the checkout page. - Use
browser_evalto extract the localized data. - Target Variables (from source):
eh_affirm_valeh_afterpay_valeh_alipay_valeh_bancontact_valeh_becs_valeh_boleto_valeh_stripe_checkout_params(fromeh-checkout.js)
- Use
- Command:
browser_eval("window.eh_affirm_val?.nonce || window.eh_stripe_checkout_params?.nonce")
Note: If wp_ajax_nopriv_ is used, the developer may have omitted the nonce check entirely, or used a generic nonce like wp_rest.
5. Exploitation Strategy
The agent will first confirm the vulnerable handler by searching the PHP source.
Step 1: Locate the Vulnerable Handler
Search the plugin directory for unauthenticated AJAX registrations:grep -rn "wp_ajax_nopriv_" wp-content/plugins/payment-gateway-stripe-and-woocommerce-integration/
Step 2: Analyze the Callback
Examine the function associated with the nopriv action. Look for:
- Lack of
current_user_can() - Use of
update_option() - Use of
delete_option() - Sensitive Stripe API calls (e.g.,
account->delete())
Step 3: Craft Payload
Assuming the action is eh_stripe_disconnect_account (a common "I:L" vulnerability):
- URL:
http://[TARGET]/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=eh_stripe_disconnect_account&nonce=[EXTRACTED_NONCE]
Step 4: Execute via http_request
// Example using Playwright tool
await http_request({
url: "http://localhost:8080/wp-admin/admin-ajax.php",
method: "POST",
body: "action=eh_stripe_disconnect_account&nonce=" + extractedNonce,
headers: { "Content-Type": "application/x-www-form-urlencoded" }
});
6. Test Data Setup
- Install Plugin: Ensure
payment-gateway-stripe-and-woocommerce-integrationversion 5.0.7 is installed. - Configure Stripe: Add dummy API keys in the plugin settings to provide "state" that can be modified.
- WooCommerce Setup:
- Create a test product:
wp post create --post_type=product --post_title='Test' --post_status=publish. - Enable the "Stripe" payment gateway in WooCommerce settings.
- Create a test product:
- Nonce Page: Create a page with the
[woocommerce_checkout]shortcode if not already present.
7. Expected Results
- Response: The server returns a
200 OKor a JSON success message (e.g.,{"success": true}). - Effect: The plugin settings are altered. For example, the Stripe API keys are cleared or the "Connection Status" in the plugin dashboard changes to "Disconnected".
8. Verification Steps
After the HTTP request, use WP-CLI to check the database state:
- Check Options:
wp option get eh_stripe_settings - Check Connection Status:
wp option get eh_stripe_account_id(or similar keys found during the search). - If the option is cleared or changed to a default/malicious value, the exploit is confirmed.
9. Alternative Approaches
- Settings Injection: If the vulnerable function is
eh_stripe_save_settings, attempt to overwrite thepublishable_keywith an attacker-controlled key to intercept future payment intents. - Log Exposure/Clearing: Check for
eh_stripe_clear_logoreh_stripe_get_logwhich could be used to hide tracks or potentially leak transaction metadata (though CVSS 5.3 C:N suggests focus is on Integrity). - Order Manipulation: Look for actions that take an
order_idand change status (e.g.,eh_stripe_update_order_status).
Summary
The Payment Gateway of Stripe for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function registered as an AJAX action. This allows unauthenticated attackers to perform sensitive administrative operations, such as modifying plugin settings or disconnecting the Stripe account connection.
Security Fix
@@ -48,3 +48,33 @@ #eh-stripe-payment-request-button{ padding: 20px 0; } + +.we-chat-overlay{ + position:fixed; + top:0; + left:0; + width:100%; + height:100%; + background: rgba(0,0,0,0.5); + display:flex; + align-items:center; + justify-content:center; + z-index:9999; +} + +#eh-wechat-qr{ + background:#fff; + padding:20px; + border-radius:8px; + text-align:center; + display: flex; + align-items: center; + flex-direction: column; + justify-content: center; +} + +#eh-wechat-message{ + margin-bottom:15px; + font-weight:600; + color:#333; +} @@ -3,7 +3,8 @@ try { - var stripe = Stripe( eh_affirm_val.key, {apiVersion: eh_affirm_val.version} ); + //var stripe = Stripe( eh_affirm_val.key, {apiVersion: eh_affirm_val.version} ); + var stripe = Stripe( eh_affirm_val.key ); } catch( error ) { console.log( error ); return; ... (truncated)
Exploit Outline
1. Identify the targeted AJAX handler that lacks authorization checks, such as 'eh_stripe_disconnect_account' or 'eh_stripe_save_settings'. 2. Navigate to a public page (e.g., the WooCommerce checkout page) to find localized JavaScript objects like 'eh_stripe_checkout_params' or 'eh_payment_request_params'. 3. Extract the required security nonce from these localized objects (e.g., 'window.eh_stripe_checkout_params.nonce'). 4. Craft a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to the vulnerable callback and the extracted nonce in the request body. 5. Execute the request to perform unauthorized administrative actions, such as clearing plugin logs or resetting the Stripe API connection.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.