CVE-2021-39347 MEDIUM

CVE-2021-39347: Stripe for WooCommerce 3.0.0 - 3.3.9 Missing Authorization Controls to Financial Account Hijacking

Vendor Stripe For Woocommerce
Product Stripe for WooCommerce
Weakness CWE-862 · Missing authorization
Published October 4, 2021
Last update March 31, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.

Key dates

02Disclosure timeline

October 4, 2021 CVE published
March 31, 2025 Record updated