An Insecure Direct Object Reference (IDOR) vulnerability has been uncovered in the WooCommerce GoCardless Gateway plugin, raising concerns over WordPress security and malware removal. This critical security flaw allows attackers to bypass authorization and gain access to sensitive data or files, posing potential risks to websites. The vulnerability was discovered and reported by Rafie Muhammad of Patchstack. By exploiting this IDOR vulnerability in the wc_gateway_gocardless.php file, attackers can manipulate URLs to access sensitive data or files linked to specific objects. Safeguarding against potential exploits, users of the WooCommerce GoCardless Gateway plugin are strongly advised to update to version 2.5.7 immediately, as this version includes crucial fixes to mitigate the vulnerability and enhance overall plugin security.

The IDOR vulnerability in the WooCommerce GoCardless Gateway plugin permits attackers to bypass authorization and access sensitive data or files associated with specific objects via manipulated URLs.

Severity:

With a CVSS 3.1 score of 7.5, the vulnerability is classified as high severity, indicating its susceptibility to exploitation and significant impact on affected systems.

Affected Versions:

The vulnerability affects WooCommerce GoCardless Gateway versions 2.5.6 and earlier, leaving users of older versions at risk of exploitation.

Impact:

Exploiting this vulnerability empowers attackers to gain unauthorized access to sensitive files or folders, bypass authentication and authorization mechanisms, and potentially interact with the database.

Recommendation:

To ensure robust WordPress security and mitigate potential risks, users of the WooCommerce GoCardless Gateway plugin running affected versions should update to version 2.5.7 immediately. Updating to the latest version is crucial in safeguarding against unauthorized access and enhancing overall plugin security.