Skip to main content

WooCommerce Stripe Gateway CVE-2026-45217

| EUVDEUVD-2026-31769 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-25 Patchstack GHSA-rpvx-ppgf-2678
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:14 vuln.today
CVE Published
May 25, 2026 - 22:29 nvd
MEDIUM 6.5

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation.

This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7.

AnalysisAI

Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.

Technical ContextAI

CWE-288 describes a class of flaws where an application implements authentication on a primary path but fails to enforce equivalent controls on an alternative path or channel - in this case, the password recovery mechanism within the WooCommerce Stripe plugin. WordPress plugins frequently implement custom account or payment-related flows that run outside core WordPress authentication, making them susceptible to logic gaps. The affected component is cpe:2.3:a:themehigh:stripe_payment_gateway_for_woocommerce:*:*:*:*:*:*:*:*, covering all tracked versions up to and including 5.0.7. The password recovery exploitation vector suggests the plugin handles account verification or token validation independently, and that verification logic can be subverted to assume a user identity without valid credentials.

RemediationAI

Update the ThemeHigh Stripe Payment Gateway for WooCommerce plugin to a version beyond 5.0.7; a patched release is referenced in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/payment-gateway-stripe-and-woocommerce-integration/vulnerability/wordpress-stripe-payment-gateway-for-woocommerce-plugin-5-0-7-broken-authentication-vulnerability), though the exact fixed version number is not independently confirmed from the available input data - verify the latest release via the WordPress plugin repository or the ThemeHigh vendor page. If immediate patching is not feasible, consider temporarily disabling the plugin's password recovery or account management functionality at the application layer, or restricting access to the relevant WooCommerce endpoints via WAF rules targeting the plugin's recovery parameter patterns. Disabling the plugin entirely is a high-impact workaround given it handles payment processing. Site administrators should also audit recent password reset activity for anomalous patterns as a detection measure.

Share

CVE-2026-45217 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy