CVE-2023-34000: 
WordPress vulnerability analysis and mitigation

The WooCommerce Stripe Payment Gateway plugin, a widely used WordPress plugin with over 900,000 active installations, was found to contain an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2023-34000. The vulnerability affects versions 7.4.0 and below of the plugin, which is developed by WooCommerce to enable direct payment processing on web and mobile stores (Patchstack Article, Hacker News).

The vulnerability stems from improper handling of order objects and insufficient access control mechanisms in the plugin's 'javascriptparams' and 'paymentfields' functions. The issue occurs because the code fetches an order object using the $order_id variable constructed from query parameters without proper order ownership validation. The CVSS score for this vulnerability is 7.5 (High), indicating its significant severity (Patchstack Article).

The vulnerability allows any unauthenticated user to access sensitive Personally Identifiable Information (PII) from any WooCommerce order, including users' email addresses, full names, and complete residential addresses (Patchstack Article).

The vulnerability was patched in version 7.4.1, released on May 30, 2023. The fix implements proper validation of fetched order ownership by using the isvalidpayfororder_endpoint function to check the order based on key and ownership. Users are strongly advised to update to version 7.4.1 or later to protect against this vulnerability (Patchstack Article).