CVE-2024-0705
published 2024-01-19CVE-2024-0705: The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including…
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.66%
83.8th percentile
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themehigh | payment_gateway_of_stripe_for_woocommerce | <= 3.7.9 | — |
| webtoffee | stripe_payment_plugin_for_woocommerce | < 3.8.0 | 3.8.0 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
Stripe Payment Plugin for WooCommerce = 6' - 'status_code == 200' condition: and # digest: 490a00463044022016a8f39a483086cb723a70472fc1b9e9e03c54f04f39acf8999ef20f420f33140220077b732ba43da08f8f739ae6a0f28c58e4c298a92cc0b1b34cd8584a3bd31b42:922c64590222798bb761d5b6d8e72950
- →Monitor for SQL injection attempts via the 'id' parameter in the Stripe Payment Plugin for WooCommerce (versions up to and including 3.7.9). Look for appended SQL syntax (e.g., quotes, UNION, stacked queries) in the 'id' parameter of plugin requests.
- →Unauthenticated requests (no session/auth cookie) targeting the plugin endpoint with a manipulated 'id' parameter and receiving HTTP 200 responses should be treated as suspicious and investigated for data exfiltration.
- ·The Sigma-style rule fragment in the source is incomplete — it lacks a full 'detection' block and log source definition. It should be treated as a partial indicator only and requires completion before deployment in a SIEM.
- ·The vulnerability affects all plugin versions up to and including 3.7.9; ensure version-based detection or blocking is scoped correctly and does not apply to patched versions above 3.7.9.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Stripe Payment Plugin for WooCommerce Plugin up to 3.7.9 on WordPress sql injection
vuldb·2026-04-11·CVSS 9.8
CVE-2024-0705 [CRITICAL] Stripe Payment Plugin for WooCommerce Plugin up to 3.7.9 on WordPress sql injection
A vulnerability was found in Stripe Payment Plugin for WooCommerce Plugin up to 3.7.9 on WordPress. It has been declared as critical. This issue affects some unknown processing. Executing a manipulation can lead to sql injection.
This vulnerability is registered as CVE-2024-0705. It is possible to launch the attack remotely. No exploit is available.
GHSA
GHSA-5jv7-xqc8-wq28: The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and includ
ghsa_unreviewed·2024-01-19
CVE-2024-0705 [CRITICAL] CWE-89 GHSA-5jv7-xqc8-wq28: The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and includ
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
No detection rules found.
Nuclei
Stripe Payment Plugin for WooCommerce <= 3.7.9 - Unauthenticated SQL Injection
nuclei·CVSS 7.5
CVE-2024-0705 [HIGH] Stripe Payment Plugin for WooCommerce <= 3.7.9 - Unauthenticated SQL Injection
Stripe Payment Plugin for WooCommerce = 6'
- 'status_code == 200'
condition: and
# digest: 490a00463044022016a8f39a483086cb723a70472fc1b9e9e03c54f04f39acf8999ef20f420f33140220077b732ba43da08f8f739ae6a0f28c58e4c298a92cc0b1b34cd8584a3bd31b42:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2954934%40payment-gateway-stripe-and-woocommerce-integration&new=2954934%40payment-gateway-stripe-and-woocommerce-integration&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/2652a7fc-b610-40f1-8b76-2129f59390ec?source=cvehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2954934%40payment-gateway-stripe-and-woocommerce-integration&new=2954934%40payment-gateway-stripe-and-woocommerce-integration&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/2652a7fc-b610-40f1-8b76-2129f59390ec?source=cve
2024-01-19
Published