CVE-2026-2381
Description
The WooCommerce Stripe Payment Gateway plugin fails to verify order ownership in the ajax_pay_for_order() function, allowing unauthenticated attackers to change order status to failed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WooCommerce Stripe Payment Gateway plugin fails to verify order ownership in the ajax_pay_for_order() function, allowing unauthenticated attackers to change order status to failed.
Vulnerability
The WooCommerce Stripe Payment Gateway plugin for WordPress, in all versions up to and including 10.7.0, lacks a capability check in the ajax_pay_for_order() function [2]. This function is registered to the wc_ajax_wc_stripe_pay_for_order endpoint and is intended to process payment for an order via Express Checkout. The only validation performed is a nonce check; however, this nonce is publicly available on any WooCommerce page where Express Checkout is enabled [1]. The function does not verify that the requesting user owns the order or is authorized to modify it, allowing an attacker to target any pending order by enumerating its sequential ID.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted AJAX request to the wc_ajax_wc_stripe_pay_for_order endpoint with a valid nonce obtained from a page using Express Checkout. By providing a fake payment method and enumerating order IDs (which are sequential integers), the attacker triggers a payment exception that updates the target order's status to failed. No authentication or prior interaction is required beyond obtaining the nonce, which is freely accessible.
Impact
Successful exploitation allows an attacker to forcibly change the status of any pending order to failed, preventing legitimate customers from completing their purchases. This is a form of unauthorized modification of data, specifically the order status, leading to disruption of e-commerce operations. The attacker does not gain access to sensitive information or achieve remote code execution, but the ability to deny service to pending orders can cause financial loss and reputational damage.
Mitigation
A fix is available in the plugin's development repository [3]. Users should update to version 10.7.1 or later, which includes proper order ownership verification in the ajax_pay_for_order() function. If updating is not immediately possible, consider disabling the Express Checkout feature to prevent public availability of the nonce, though this may reduce functionality.
- https://plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/class-wc-gateway-stripe.php#L523
- https://plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.php#L355
- https://plugins.trac.wordpress.org/changeset/3564842/woocommerce-gateway-stripe/trunk/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.php
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=10.7.0
- Range: <=10.7.0
Patches
1r3564842Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/class-wc-gateway-stripe.phpnvd
- plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.phpnvd
- plugins.trac.wordpress.org/changeset/3564842/woocommerce-gateway-stripe/trunk/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- research.cleantalk.org/cve-2026-2381nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/ab3b52f7-e2c3-44f7-8e19-b6c51ccd50e0nvd
News mentions
0No linked articles in our index yet.