CVE-2023-51502: 
WordPress vulnerability analysis and mitigation

The CVE-2023-51502 is an Authorization Bypass Through User-Controlled Key vulnerability affecting WooCommerce Stripe Payment Gateway versions through 7.6.1. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on December 27, 2023. This security flaw allows unauthenticated users to manipulate completed or pending orders through an Insecure Direct Object Reference (IDOR) vulnerability (Patchstack, WPScan).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and received varying CVSS scores. The National Vulnerability Database (NVD) assigned it a Critical severity score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Patchstack rated it as High severity with a score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). The vulnerability stems from improper ownership verification of completed/pending orders (NVD).

The vulnerability allows unauthenticated users to put completed or pending orders in the trash and delete them, potentially causing significant disruption to e-commerce operations. This security flaw could lead to unauthorized manipulation of order data, affecting business operations and customer transactions (WPScan).

The vulnerability has been patched in version 7.6.2 of the WooCommerce Stripe Payment Gateway plugin. Users are strongly advised to update to this version or later to remediate the security risk (WPScan).