The plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts
CPE | Name | Operator | Version |
---|---|---|---|
woo-stripe-payment | lt | 3.3.10 |