1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-0705, is an SQL Injection flaw found in the Stripe Payment Plugin for WooCommerce for WordPress. It matters significantly because it allows unauthenticated attackers to append additional SQL queries into existing database queries. This capability enables them to extract sensitive information directly from the underlying database, potentially leading to critical data breaches, including customer payment details, personal data, and other confidential business information.

2. What are the CVSS score, severity level, and disclosure details?

The vulnerability has a CVSS score of 7.5, which typically classifies it as a High severity vulnerability. The vulnerability was publicly published on January 19, 2024, at 09:31:18 UTC, and last modified on April 8, 2026, at 16:42:42 UTC. An associated SVRS (Severity Rating System) score is 68.

3. Which products, vendors, systems, and versions are affected?

The affected product is the Stripe Payment Plugin for WooCommerce. It operates within the WordPress content management system. All versions of this plugin up to, and including, 3.7.9 are vulnerable.

4. What is the technical root cause and attack vector?

The technical root cause of this vulnerability is insufficient escaping on a user-supplied parameter and a lack of sufficient preparation on the existing SQL query. Specifically, the 'id' parameter is vulnerable. This oversight allows attackers to directly manipulate SQL queries. The attack vector is via the 'id' parameter, which can be exploited by an unauthenticated attacker. The Common Weakness Enumeration (CWE) associated with this vulnerability is CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

5. How can this vulnerability be exploited?

This vulnerability can be exploited by an unauthenticated attacker who crafts malicious input for the 'id' parameter within the Stripe Payment Plugin for WooCommerce. By injecting SQL code into this parameter, the attacker can append arbitrary SQL queries to the legitimate queries executed by the plugin. This allows them to execute unauthorized database commands, primarily to extract sensitive information from the database without authentication.

6. What mitigation steps and patches are available?

The primary mitigation step is to update the Stripe Payment Plugin for WooCommerce to a version greater than 3.7.9. It is critical to apply this update immediately to patch the SQL Injection flaw. Additionally, general best practices for preventing SQL Injection include using parameterized queries or prepared statements for all database interactions and implementing robust input validation for all user-supplied data.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by checking the installed version of the "Stripe Payment Plugin for WooCommerce" on any WordPress instance. If the version number is 3.7.9 or older, the system is susceptible to CVE-2024-0705.

10. What public intelligence references and advisories exist?

The primary public intelligence reference for this vulnerability is its Common Vulnerabilities and Exposures (CVE) identifier: CVE-2024-0705. This identifier provides the baseline information and tracking for the vulnerability across various security databases and advisories.

11. What is the risk assessment and urgency level?

Risk Assessment: High. The vulnerability allows unauthenticated attackers to perform SQL Injection, leading to the extraction of sensitive information from the database. This poses a severe risk of data breaches, compromising user data, financial information, and potentially other critical business data.
Urgency Level: High. Given the ease of exploitation (unauthenticated access) and the critical impact (data exfiltration), immediate action is required. Organizations using the affected plugin versions should prioritize updating to a patched version without delay.