Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network endpoint with publicly available nonce requires no authentication; impact is limited to order status corruption with no confidentiality exposure.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_pay_for_order() function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the wc_stripe_pay_for_order WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
AnalysisAI
Unauthenticated order sabotage in WooCommerce Stripe Payment Gateway (all versions ≤10.7.0) allows any remote attacker to force pending WooCommerce orders into a 'failed' state without owning or authenticating against those orders. The root cause is a missing authorization check on the ajax_pay_for_order() function: the only gate is a nonce that is publicly available on any page where Express Checkout is enabled, providing no actual access control. Exploitation is trivially automatable via sequential order ID enumeration, enabling targeted disruption of an entire store's pending transactions. No public exploit has been identified at time of analysis, and no KEV listing exists, but the attack complexity is effectively zero for stores with Express Checkout active.
Technical ContextAI
The vulnerability exists in the WooCommerce Stripe Payment Gateway WordPress plugin (CPE: cpe:2.3:a:woocommerce:woocommerce_stripe_payment_gateway:*:*:*:*:*:*:*:*), specifically within the ajax_pay_for_order() method of the Express Checkout AJAX handler (class-wc-stripe-express-checkout-ajax-handler.php, confirmed at line 355 in the 10.3.1 tag). The function is exposed via the wc_stripe_pay_for_order WC-AJAX endpoint, WordPress/WooCommerce's unauthenticated AJAX dispatch system. CWE-862 (Missing Authorization) applies directly: the function performs a nonce check but omits both order ownership verification and order_key validation. Because the nonce is embedded in any WooCommerce storefront page where Express Checkout is rendered, it is publicly discoverable by any visitor - effectively neutralizing the nonce as a security control. Supplying a fake payment method ID triggers a Stripe payment exception in class-wc-gateway-stripe.php (line 523 in 10.3.1 tag), which WooCommerce's order state machine interprets as a payment failure and updates the order status to 'failed'. The WordPress Trac changeset between tags 10.7.0 and 10.8.0 indicates the fix was applied in the Express Checkout AJAX handler.
RemediationAI
Upgrade the WooCommerce Stripe Payment Gateway plugin to version 10.8.0 or later, as the WordPress Trac changeset (https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-gateway-stripe/tags/10.7.0&new_path=%2Fwoocommerce-gateway-stripe/tags/10.8.0) confirms the authorization fix was applied between the 10.7.0 and 10.8.0 tags. Update via the WordPress admin plugin dashboard or WP-CLI (wp plugin update woocommerce-gateway-stripe). As an interim compensating control for stores that cannot immediately patch, disabling the Express Checkout feature removes public nonce availability from the storefront, which eliminates the accessible attack path through the wc_stripe_pay_for_order endpoint - note that this trade-off disables Apple Pay, Google Pay, and Link payment buttons for customers, which may have conversion impact. Additionally, deploying a Web Application Firewall rule to block unauthenticated POST requests to /?wc-ajax=wc_stripe_pay_for_order can reduce exposure, though WAF rules should not substitute for patching. The authoritative Wordfence advisory is at https://www.wordfence.com/threat-intel/vulnerabilities/id/ab3b52f7-e2c3-44f7-8e19-b6c51ccd50e0.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37059
GHSA-xpf8-p6c2-qcp9