Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4040: Changeset 2954934 – WordPress Plugin Repository

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9. This makes it possible for unauthenticated attackers to modify the order status of arbitrary WooCommerce orders.

CVE
#web#js#wordpress#php#auth

r2945311 r2954934 650650 651651 $raw_post = file_get_contents( ‘php://input’ ); 652 if (!empty($raw_post)) { 653 $decoded = json_decode( $raw_post, true ); 654 655 if (!empty($decoded)) { 656 657 EH_Stripe_Log::log_update(‘live’, $decoded, get_bloginfo(‘blogname’) . ' - WebHook event’); 658 switch (strtolower($decoded[‘type’])) { 659 case 'charge.succeeded’: 660 case 'charge.failed’: 661 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 662 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 663 664 $transaction_id = sanitize_text_field($decoded[‘data’][‘object’][‘id’]); 665 666 667 if(!$order = wc_get_order( $order_id )){ 668 if(true === EH_Stripe_Payment::wt_stripe_is_HPOS_compatibile()){ 669 $meta = $wpdb->get_results( “SELECT order_id FROM " . $wpdb->prefix . “wc_orders_meta WHERE meta_key = ‘_transaction_id’ AND meta_value= '” . $transaction_id . “’” ); 670 } 671 else{ 672 $meta = $wpdb->get_results( “SELECT post_id FROM " . $wpdb->postmeta .” WHERE meta_key = ‘_transaction_id’ AND meta_value= '” . $transaction_id . “’” ); 673 } 674 675 if (!empty($meta) && isset($meta[0]->post_id)) { 676 $order_id = $meta[0]->post_id; 677 $order = wc_get_order( $order_id ); 678 } 679 else if(isset($decoded[‘data’][‘object’][‘payment_intent’])){ 680 $payment_intent_id = sanitize_text_field($decoded[‘data’][‘object’][‘payment_intent’]); 652 $sig_header = $_SERVER[‘HTTP_STRIPE_SIGNATURE’]; 653 $eh_stripe_option = get_option(“woocommerce_eh_stripe_pay_settings”); 654 $endpoint_secret = isset($eh_stripe_option[“eh_stripe_webhook_secret”]) ? $eh_stripe_option[“eh_stripe_webhook_secret”] : '’; 655 656 try { 657 658 if(!empty($endpoint_secret)){ 659 $event = \Stripe\Webhook::constructEvent( 660 $raw_post, $sig_header, $endpoint_secret, 1000 661 ); 662 663 if(empty($event)){ 664 throw new Exception("Error Processing Request", 1); 665 666 } 667 } 668 669 if (!empty($raw_post)) { 670 $decoded = json_decode( $raw_post, true ); 671 672 if (!empty($decoded)) { 673 674 EH_Stripe_Log::log_update(‘live’, $decoded, get_bloginfo(‘blogname’) . ' - WebHook event’); 675 switch (strtolower($decoded[‘type’])) { 676 case 'charge.succeeded’: 677 case 'charge.failed’: 678 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 679 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 680 681 $transaction_id = sanitize_text_field($decoded[‘data’][‘object’][‘id’]); 682 683 684 if(!$order = wc_get_order( $order_id )){ 681685 if(true === EH_Stripe_Payment::wt_stripe_is_HPOS_compatibile()){ 682 $meta = $wpdb->get_results( "SELECT order_id FROM " . $wpdb->prefix . “wc_orders_meta WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value= '” . $payment_intent_id . “’” ); 686 $meta = $wpdb->get_results( $wpdb->prepare(“SELECT order_id FROM %swc_orders_meta WHERE meta_key = ‘_transaction_id’ AND meta_value= %s", array($wpdb->prefix, $transaction_id) )); 683687 } 684688 else{ 685 $meta = $wpdb->get_results( “SELECT post_id FROM " . $wpdb->postmeta .” WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value= '” . $payment_intent_id . “’” ); 686 } 687 689 $meta = $wpdb->get_results( $wpdb->prepare("SELECT post_id FROM %s WHERE meta_key = ‘_transaction_id’ AND meta_value = %s", array($wpdb->postmeta, $transaction_id) )); 690 } 691 688692 if (!empty($meta) && isset($meta[0]->post_id)) { 689693 $order_id = $meta[0]->post_id; 690694 $order = wc_get_order( $order_id ); 691 } 692 } 693 694 } 695 696 if (!$order) { 697 exit; 698 } 699 700 $obj1 = new EH_Stripe_Payment(); 701 $charge_param = $obj1->make_charge_params($decoded[‘data’][‘object’], $order_id); 702 EH_Helper_Class::wt_stripe_order_db_operations($order_id, $order, 'update’, '_eh_stripe_payment_charge’, $charge_param, false); 703 704 if ( ‘on-hold’ == $order->status || ‘pending’ == $order->status) { 705 if (isset($decoded[‘data’][‘object’][‘status’]) && $decoded[‘data’][‘object’][‘status’] == ‘succeeded’) { 706 $status = $decoded[‘data’][‘object’][‘status’]; 707 708 $order->set_transaction_id( sanitize_text_field($decoded[‘data’][‘object’][‘id’] )); 709 710 711 $order_time = date('Y-m-d H:i:s’, time() + get_option(‘gmt_offset’) * 3600); 712 $source_type = $decoded[‘data’][‘object’][‘payment_method_details’][‘type’]; 713 $source_type = (isset($decoded[‘data’][‘object’][‘payment_method_details’][‘type’]) ? $decoded[‘data’][‘object’][‘payment_method_details’][‘type’] : (isset($decoded[‘data’][‘object’][‘source’][‘type’]) ? $decoded[‘data’][‘object’][‘source’][‘type’] : ‘unknown’) ); 714 $balance_transaction_id = ((is_array($decoded[‘data’][‘object’][‘balance_transaction’]) && isset($decoded[‘data’][‘object’][‘balance_transaction’][‘id’])) ? $decoded[‘data’][‘object’][‘balance_transaction’][‘id’] : (isset($decoded[‘data’][‘object’][‘balance_transaction’]) ? $decoded[‘data’][‘object’][‘balance_transaction’] : ‘unknown’)); 715 716 717 718 if ($decoded[‘data’][‘object’][‘captured’] == true) { 719 $captured = 'Captured’; 720 $order->payment_complete( $transaction_id ); 721 695 } 696 else if(isset($decoded[‘data’][‘object’][‘payment_intent’])){ 697 $payment_intent_id = sanitize_text_field($decoded[‘data’][‘object’][‘payment_intent’]); 698 if(true === EH_Stripe_Payment::wt_stripe_is_HPOS_compatibile()){ 699 $meta = $wpdb->get_results($wpdb->prepare( "SELECT order_id FROM %swc_orders_meta WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value = %s", array($wpdb->prefix, $payment_intent_id))); 722700 } 723701 else{ 724 $captured = 'Uncaptured’; 725 $order->update_status(‘on-hold’); 726 } 727 $order->add_order_note( __('Payment Status : ‘, ‘payment-gateway-stripe-and-woocommerce-integration’) . ucfirst($status) .’ [ ' . $order_time . ' ] . ' . __('Source : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $source_type . '. ' . __('Charge Status :’, ‘payment-gateway-stripe-and-woocommerce-integration’) . $captured . __('. Transaction ID : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $balance_transaction_id . __('. via webhook’, ‘payment-gateway-stripe-and-woocommerce-integration’) ); 728 } 729 else { 730 // Set order status to payment failed 731 $order->update_status( 'failed’, sprintf( __( 'Payment failed.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 702 $meta = $wpdb->get_results($wpdb->prepare( “SELECT post_id FROM %s WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value= %s", array($wpdb->postmeta, $payment_intent_id)) ); 703 } 704 705 if (!empty($meta) && isset($meta[0]->post_id)) { 706 $order_id = $meta[0]->post_id; 707 $order = wc_get_order( $order_id ); 708 } 709 } 710 711 } 712 713 if (!$order) { 714 exit; 715 } 716 717 $obj1 = new EH_Stripe_Payment(); 718 $charge_param = $obj1->make_charge_params($decoded[‘data’][‘object’], $order_id); 719 EH_Helper_Class::wt_stripe_order_db_operations($order_id, $order, 'update’, '_eh_stripe_payment_charge’, $charge_param, false); 720 721 if ( ‘on-hold’ === $order->status || ‘pending’ === $order->status) { 722 if (isset($decoded[‘data’][‘object’][‘status’]) && $decoded[‘data’][‘object’][‘status’] === ‘succeeded’) { 723 $status = $decoded[‘data’][‘object’][‘status’]; 724 725 $order->set_transaction_id( sanitize_text_field($decoded[‘data’][‘object’][‘id’] )); 726 727 728 $order_time = date('Y-m-d H:i:s’, time() + get_option(‘gmt_offset’) * 3600); 729 $source_type = $decoded[‘data’][‘object’][‘payment_method_details’][‘type’]; 730 $source_type = (isset($decoded[‘data’][‘object’][‘payment_method_details’][‘type’]) ? $decoded[‘data’][‘object’][‘payment_method_details’][‘type’] : (isset($decoded[‘data’][‘object’][‘source’][‘type’]) ? $decoded[‘data’][‘object’][‘source’][‘type’] : ‘unknown’) ); 731 $balance_transaction_id = ((is_array($decoded[‘data’][‘object’][‘balance_transaction’]) && isset($decoded[‘data’][‘object’][‘balance_transaction’][‘id’])) ? $decoded[‘data’][‘object’][‘balance_transaction’][‘id’] : (isset($decoded[‘data’][‘object’][‘balance_transaction’]) ? $decoded[‘data’][‘object’][‘balance_transaction’] : ‘unknown’)); 732 733 734 735 if ($decoded[‘data’][‘object’][‘captured’] == true) { 736 $captured = 'Captured’; 737 $order->payment_complete( $transaction_id ); 738 739 } 740 else{ 741 $captured = 'Uncaptured’; 742 $order->update_status(‘on-hold’); 743 } 744 $order->add_order_note( __('Payment Status : ‘, ‘payment-gateway-stripe-and-woocommerce-integration’) . ucfirst($status) .’ [ ' . $order_time . ' ] . ' . __('Source : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $source_type . '. ' . __('Charge Status :’, ‘payment-gateway-stripe-and-woocommerce-integration’) . $captured . __('. Transaction ID : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $balance_transaction_id . __('. via webhook’, ‘payment-gateway-stripe-and-woocommerce-integration’) ); 745 } 746 else { 747 // Set order status to payment failed 748 $order->update_status( 'failed’, sprintf( __( 'Payment failed.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 749 } 732750 } 733751 } 734 } 735 break; 736 737 case 'charge.dispute.created’: 738 if (isset($decoded[‘data’][‘object’][‘charge’])) { 739 $charge_id = sanitize_text_field($decoded[‘data’][‘object’][‘charge’]); 740 if (!empty($charge_id)) { 741 if(true === EH_Stripe_Payment::wt_stripe_is_HPOS_compatibile()){ 742 $meta = $wpdb->get_results( “SELECT order_id FROM " . $wpdb->prefix . “wc_orders_meta WHERE meta_key = ‘_transaction_id’ AND meta_value= '” . $charge_id . “’” ); 743 } 744 else{ 745 $meta = $wpdb->get_results( “SELECT post_id FROM " . $wpdb->postmeta .” WHERE meta_key = ‘_transaction_id’ AND meta_value= '” . $charge_id . “’” ); 746 } 747 if (!empty($meta)) { 748 $order_id = $meta[0]->post_id; 749 $order = wc_get_order( $order_id ); 750 751 $order->add_order_note( __('A dispute was created for this order : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $decoded[‘data’][‘object’][‘charge’]); 752 753 // Set order status to payment failed 754 $order->update_status( 'failed’, sprintf( __( 'Payment failed.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 755 } 756 } 757 } 758 break; 759 760 /*case 'charge.refund.updated’: 761 if (isset($decoded[‘data’][‘object’][‘charge’])) { 762 $charge_id = sanitize_text_field($decoded[‘data’][‘object’][‘charge’]); 763 if (!empty($charge_id)) { 764 if (isset($decoded[‘data’][‘object’][‘object’]) && $decoded[‘data’][‘object’][‘object’] == ‘refund’) { 765 766 $meta = $wpdb->get_results( “SELECT post_id FROM " . $wpdb->postmeta .” WHERE meta_key = ‘_transaction_id’ AND meta_value= '” . $charge_id . “’” ); 752 break; 753 754 case 'charge.dispute.created’: 755 if (isset($decoded[‘data’][‘object’][‘charge’])) { 756 $charge_id = sanitize_text_field($decoded[‘data’][‘object’][‘charge’]); 757 if (!empty($charge_id)) { 758 if(true === EH_Stripe_Payment::wt_stripe_is_HPOS_compatibile()){ 759 $meta = $wpdb->get_results($wpdb->prepare( "SELECT order_id FROM %swc_orders_meta WHERE meta_key = ‘_transaction_id’ AND meta_value= %s", array($wpdb->prefix, $charge_id )) ); 760 } 761 else{ 762 $meta = $wpdb->get_results($wpdb->prepare( “SELECT post_id FROM %s WHERE meta_key = ‘_transaction_id’ AND meta_value= %s", array($wpdb->postmeta, $charge_id)) ); 763 } 767764 if (!empty($meta)) { 768765 $order_id = $meta[0]->post_id; 769766 $order = wc_get_order( $order_id ); 770767 771 } 772 773 $refund_params = get_post_meta($order_id, '_eh_stripe_payment_refund’, true); 774 if(isset($refund_params[‘transaction_id’]) && !empty($refund_params[‘transaction_id’]) && $refund_params[‘transaction_id’] != $decoded[‘data’][‘object’][‘balance_transaction’]){ 775 776 777 $refund_amount = EH_Stripe_Payment::reset_stripe_amount($decoded[‘data’][‘object’][‘amount’], $order->get_currency()); 778 779 if ($decoded[‘data’][‘object’][‘status’] == ‘failed’) { 780 $reason = ((isset($decoded[‘data’][‘object’][‘failure_reason’]) && !empty($decoded[‘data’][‘object’][‘failure_reason’])) ? $decoded[‘data’][‘object’][‘failure_reason’] 781 : ‘Refund failed - Unknown error occurred’); 782 $order->add_order_note( __('Refund of ' . get_woocommerce_currency_symbol() . $refund_amount . ' failed - ' . $reason, ‘payment-gateway-stripe-and-woocommerce-integration’)); 783 784 // Set order status to payment failed 785 $order->update_status( 'processing’, sprintf( __( 'Refund Failed.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 768 $order->add_order_note( __('A dispute was created for this order : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $decoded[‘data’][‘object’][‘charge’]); 769 770 // Set order status to payment failed 771 $order->update_status( 'failed’, sprintf( __( 'Payment failed.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 772 } 773 } 774 } 775 break; 776 777 /*case 'charge.refund.updated’: 778 if (isset($decoded[‘data’][‘object’][‘charge’])) { 779 $charge_id = sanitize_text_field($decoded[‘data’][‘object’][‘charge’]); 780 if (!empty($charge_id)) { 781 if (isset($decoded[‘data’][‘object’][‘object’]) && $decoded[‘data’][‘object’][‘object’] == ‘refund’) { 782 783 $meta = $wpdb->get_results( “SELECT post_id FROM " . $wpdb->postmeta .” WHERE meta_key = ‘_transaction_id’ AND meta_value= '” . $charge_id . “’” ); 784 if (!empty($meta)) { 785 $order_id = $meta[0]->post_id; 786 $order = wc_get_order( $order_id ); 787 786788 } 787 else{ 788 789 $order->add_order_note((__('Amount : ', ‘payment-gateway-stripe-and-woocommerce-integration’) .get_woocommerce_currency_symbol() . $refund_amount . ‘.<br>’ . __('Status : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . ‘Success’ . (is_null($decoded[‘data’][‘object’][‘balance_transaction’]) ? ‘’ : ‘<br>’ . __('Transaction ID : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $decoded[‘data’][‘object’][‘balance_transaction’] ))); 790 791 // Set order status to payment failed 792 $order->update_status( 'refunded’, sprintf( __( 'Refunded.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 789 790 $refund_params = get_post_meta($order_id, '_eh_stripe_payment_refund’, true); 791 if(isset($refund_params[‘transaction_id’]) && !empty($refund_params[‘transaction_id’]) && $refund_params[‘transaction_id’] != $decoded[‘data’][‘object’][‘balance_transaction’]){ 792 793 794 $refund_amount = EH_Stripe_Payment::reset_stripe_amount($decoded[‘data’][‘object’][‘amount’], $order->get_currency()); 795 796 if ($decoded[‘data’][‘object’][‘status’] == ‘failed’) { 797 $reason = ((isset($decoded[‘data’][‘object’][‘failure_reason’]) && !empty($decoded[‘data’][‘object’][‘failure_reason’])) ? $decoded[‘data’][‘object’][‘failure_reason’] 798 : ‘Refund failed - Unknown error occurred’); 799 $order->add_order_note( __('Refund of ' . get_woocommerce_currency_symbol() . $refund_amount . ' failed - ' . $reason, ‘payment-gateway-stripe-and-woocommerce-integration’)); 800 801 // Set order status to payment failed 802 $order->update_status( 'processing’, sprintf( __( 'Refund Failed.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 803 } 804 else{ 805 806 $order->add_order_note((__('Amount : ', ‘payment-gateway-stripe-and-woocommerce-integration’) .get_woocommerce_currency_symbol() . $refund_amount . ‘.<br>’ . __('Status : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . ‘Success’ . (is_null($decoded[‘data’][‘object’][‘balance_transaction’]) ? ‘’ : ‘<br>’ . __('Transaction ID : ', ‘payment-gateway-stripe-and-woocommerce-integration’) . $decoded[‘data’][‘object’][‘balance_transaction’] ))); 807 808 // Set order status to payment failed 809 $order->update_status( 'refunded’, sprintf( __( 'Refunded.’, ‘payment-gateway-stripe-and-woocommerce-integration’ ) ) ); 810 } 793811 } 794812 } 795 } 796 797 } 798 } 799 break; 800 */ 801 case 'payment_intent.succeeded’: 802 case 'payment_intent.payment_failed’: 803 if (isset($decoded[‘data’][‘object’][‘id’]) && !empty($decoded[‘data’][‘object’][‘id’])) { 804 $intent_id = sanitize_text_field($decoded[‘data’][‘object’][‘id’]); 805 806 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 807 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 808 if (!$order = wc_get_order( $order_id )) { 809 //if sequential plugin is installed payapl response return order no instead of order id. Then get order id from order number 810 if(class_exists(‘Wt_Advanced_Order_Number’)){ 811 $args = array( 812 ‘post_type’ => 'shop_order’, 813 ‘post_status’ => 'any’, 814 ‘meta_query’ => array( 815 array( 816 ‘key’ => '_order_number’, 817 ‘value’ => $order_id, //here you pass the Order Number 818 ‘compare’ => '=’, 813 814 } 815 } 816 break; 817 */ 818 case 'payment_intent.succeeded’: 819 case 'payment_intent.payment_failed’: 820 if (isset($decoded[‘data’][‘object’][‘id’]) && !empty($decoded[‘data’][‘object’][‘id’])) { 821 $intent_id = sanitize_text_field($decoded[‘data’][‘object’][‘id’]); 822 823 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 824 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 825 if (!$order = wc_get_order( $order_id )) { 826 //if sequential plugin is installed payapl response return order no instead of order id. Then get order id from order number 827 if(class_exists(‘Wt_Advanced_Order_Number’)){ 828 $args = array( 829 ‘post_type’ => 'shop_order’, 830 ‘post_status’ => 'any’, 831 ‘meta_query’ => array( 832 array( 833 ‘key’ => '_order_number’, 834 ‘value’ => $order_id, //here you pass the Order Number 835 ‘compare’ => '=’, 836 ) 819837 ) 820 ) 821 ); 822 $query = new WP_Query( $args ); 823 if ( !empty( $query->posts ) ) { 824 $order_id = $query->posts[ 0 ]->ID; 825 } 826 } 827 } 828 } 829 else{ 830 if(true === EH_Stripe_Payment::wt_stripe_is_HPOS_compatibile()){ 831 $meta = $wpdb->get_results( “SELECT order_id FROM " . $wpdb->prefix . “wc_orders_meta WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value= '” . $intent_id . “’” ); 838 ); 839 $query = new WP_Query( $args ); 840 if ( !empty( $query->posts ) ) { 841 $order_id = $query->posts[ 0 ]->ID; 842 } 843 } 844 } 832845 } 833846 else{ 834 $meta = $wpdb->get_results( “SELECT post_id FROM " . $wpdb->postmeta .” WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value= '” . $intent_id . “’” ); 835 } 836 837 if (!empty($meta) && isset($meta[0]->post_id)) { 838 $order_id = $meta[0]->post_id; 839 840 } 841 } 842 843 if (!empty($order_id)) { 844 if($order = wc_get_order( $order_id )){ 845 $request = array(‘id’ => $intent_id); 846 $reqst_json = json_encode($request ); 847 if ( ‘on-hold’ == $order->status || ‘pending’ == $order->status) { 848 849 if (isset($decoded[‘data’][‘object’][‘status’]) && $decoded[‘data’][‘object’][‘status’] == ‘succeeded’) { 850 $obj1 = new EH_Stripe_Payment(); 851 $charge_param = $obj1->make_charge_params($decoded[‘data’][‘object’][‘charges’][‘data’][0], $order_id); 852 EH_Helper_Class::wt_stripe_order_db_operations($order_id, $order, 'update’, '_eh_stripe_payment_charge’, $charge_param, false); 853 854 $order_time = date('Y-m-d H:i:s’, time() + get_option(‘gmt_offset’) * 3600); 855 if ($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘paid’] == true) { 856 857 if($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘captured’] == true){ 858 $order->payment_complete($charge_param[‘id’]); 847 if(true === EH_Stripe_Payment::wt_stripe_is_HPOS_compatibile()){ 848 $meta = $wpdb->get_results($wpdb->prepare( "SELECT order_id FROM %s wc_orders_meta WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value= %s", array($wpdb->prefix, $intent_id)) ); 849 } 850 else{ 851 $meta = $wpdb->get_results($wpdb->prepare( "SELECT post_id FROM %s WHERE meta_key = ‘_eh_stripe_payment_intent’ AND meta_value= %s", array($wpdb->postmeta, $intent_id)) ); 852 } 853 854 if (!empty($meta) && isset($meta[0]->post_id)) { 855 $order_id = $meta[0]->post_id; 856 857 } 858 } 859 860 if (!empty($order_id)) { 861 if($order = wc_get_order( $order_id )){ 862 $request = array(‘id’ => $intent_id); 863 $reqst_json = json_encode($request ); 864 if ( ‘on-hold’ === $order->status || ‘pending’ === $order->status) { 865 866 if (isset($decoded[‘data’][‘object’][‘status’]) && $decoded[‘data’][‘object’][‘status’] === ‘succeeded’) { 867 $obj1 = new EH_Stripe_Payment(); 868 $charge_param = $obj1->make_charge_params($decoded[‘data’][‘object’][‘charges’][‘data’][0], $order_id); 869 EH_Helper_Class::wt_stripe_order_db_operations($order_id, $order, 'update’, '_eh_stripe_payment_charge’, $charge_param, false); 870 871 $order_time = date('Y-m-d H:i:s’, time() + get_option(‘gmt_offset’) * 3600); 872 if ($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘paid’] == true) { 873 874 if($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘captured’] == true){ 875 $order->payment_complete($charge_param[‘id’]); 876 } 877 if (!$decoded[‘data’][‘object’][‘charges’][‘data’][0][‘captured’]) { 878 $order->update_status(‘on-hold’); 879 } 880 $order->add_order_note(__('Payment Status : ', ‘payment_gateway_stripe_and_woocommerce_integration’) . ucfirst($charge_param[‘status’]) . ' [ ' . $order_time . ' ] . ' . __('Source : ', ‘payment_gateway_stripe_and_woocommerce_integration’) . $charge_param[‘source_type’] . '. ' . __('Charge Status :’, ‘payment_gateway_stripe_and_woocommerce_integration’) . $charge_param[‘captured’] . (is_null($charge_param[‘transaction_id’]) ? ‘’ : '. <br>’.__('Transaction ID : ‘,’payment_gateway_stripe_and_woocommerce_integration’) . $charge_param[‘transaction_id’])); 881 WC()->cart->empty_cart(); 882 EH_Stripe_Log::log_update(‘live’, $charge_param, get_bloginfo(‘blogname’) . ' - Charge - Order #’ . $order->get_order_number()); 883 884 } else { 885 EH_Stripe_Log::log_update(‘dead’, $decoded[‘data’][‘object’][‘charges’][‘data’][0], get_bloginfo(‘blogname’) . ' - Charge - Order #’ . $order->get_order_number()); 886 } 887 888 889 } 890 else { 891 // Set order status to payment failed 892 $reason = 'Payment failed’; 893 if(isset($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘failure_message’]) && !empty($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘failure_message’])){ 894 $reason .= ' - ' .$decoded[‘data’][‘object’][‘charges’][‘data’][0][‘failure_message’]; 859895 } 860 if (!$decoded[‘data’][‘object’][‘charges’][‘data’][0][‘captured’]) { 861 $order->update_status(‘on-hold’); 862 } 863 $order->add_order_note(__('Payment Status : ', ‘payment_gateway_stripe_and_woocommerce_integration’) . ucfirst($charge_param[‘status’]) . ' [ ' . $order_time . ' ] . ' . __('Source : ', ‘payment_gateway_stripe_and_woocommerce_integration’) . $charge_param[‘source_type’] . '. ' . __('Charge Status :’, ‘payment_gateway_stripe_and_woocommerce_integration’) . $charge_param[‘captured’] . (is_null($charge_param[‘transaction_id’]) ? ‘’ : '. <br>’.__('Transaction ID : ‘,’payment_gateway_stripe_and_woocommerce_integration’) . $charge_param[‘transaction_id’])); 864 WC()->cart->empty_cart(); 865 EH_Stripe_Log::log_update(‘live’, $charge_param, get_bloginfo(‘blogname’) . ' - Charge - Order #’ . $order->get_order_number()); 866 867 } else { 868 EH_Stripe_Log::log_update(‘dead’, $decoded[‘data’][‘object’][‘charges’][‘data’][0], get_bloginfo(‘blogname’) . ' - Charge - Order #’ . $order->get_order_number()); 869 } 870 871 872 } 873 else { 874 // Set order status to payment failed 875 $reason = 'Payment failed’; 876 if(isset($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘failure_message’]) && !empty($decoded[‘data’][‘object’][‘charges’][‘data’][0][‘failure_message’])){ 877 $reason .= ' - ' .$decoded[‘data’][‘object’][‘charges’][‘data’][0][‘failure_message’]; 878 } 879 880 $order->update_status( 'failed’, sprintf( __( 'Payment failed.’, ‘payment_gateway_stripe_and_woocommerce_integration’ ) ) ); 881 } 882 } 883 } 884 } 885 886 } 887 888 break; 889 890 891 case 'source.chargeable’: 892 893 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 894 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 895 } 896 elseif(isset($decoded[‘data’][‘object’][‘redirect’][‘return_url’]) && !empty($decoded[‘data’][‘object’][‘redirect’][‘return_url’])){ 897 $return_url = $decoded[‘data’][‘object’][‘redirect’][‘return_url’]; 898 $arr_parts = wp_parse_url($return_url); 899 if(isset($arr_parts) && !empty($arr_parts) && isset($arr_parts[‘query’]) && !empty($arr_parts[‘query’])){ 900 wp_parse_str($arr_parts[‘query’], $arr_params); 901 if(!empty($arr_params) && isset($arr_params[‘order_id’]) && !empty($arr_params[‘order_id’])){ 902 $order_id = $arr_params[‘order_id’]; 903 } 904 } 905 } 906 if(isset($order_id) && !empty($order_id)){ 907 $source_id = sanitize_text_field($decoded[‘data’][‘object’][‘id’]); 908 909 $order = wc_get_order( $order_id ); 910 if($order && $order->has_status(‘on-hold’)){ 911 912 //check stripe vendor folder is exist 913 if (!class_exists(‘Stripe\Stripe’)) { 914 include(EH_STRIPE_MAIN_PATH . “vendor/autoload.php”); 915 } 916 $objKlarna = new EH_Klarna_Gateway(); 917 918 //check the source stats is chargeable 919 $source_response = \Stripe\Source::retrieve($source_id); 920 if (isset($source_response->status) && !empty($source_response->status) && ‘chargeable’ == $source_response->status) { 921 922 $charge_response = \Stripe\Charge::create($objKlarna->eh_make_charge_params( $order, $source_response->id), array( 923 ‘idempotency_key’ => $order->get_order_key() 924 )); 925 926 $objKlarna->eh_process_payment_response($charge_response, $order, true); 927 } 928 929 } 930 896 897 $order->update_status( 'failed’, sprintf( __( 'Payment failed.’, ‘payment_gateway_stripe_and_woocommerce_integration’ ) ) ); 898 } 899 } 900 } 901 } 902 931903 } 932904 933 934 break; 935 936 case 'checkout.session.expired’: 937 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 938 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 939 } 940 elseif(isset($decoded[‘data’][‘object’][‘success_url’]) && !empty($decoded[‘data’][‘object’][‘success_url’])){ 941 $arr_parts = wp_parse_url($decoded[‘data’][‘object’][‘success_url’]); 942 if(isset($arr_parts) && !empty($arr_parts) && isset($arr_parts[‘query’]) && !empty($arr_parts[‘query’])){ 943 wp_parse_str($arr_parts[‘query’], $arr_params); 944 if(!empty($arr_params) && isset($arr_params[‘order_id’]) && !empty($arr_params[‘order_id’])){ 945 $order_id = $arr_params[‘order_id’]; 946 } 947 } 948 } 949 if(isset($order_id) && !empty($order_id)){ 950 $order = wc_get_order( $order_id ); 951 if($order){ 952 if(‘eh_stripe_checkout’ == $order->get_payment_method() && ‘processing’ != $order->status && ‘completed’ != $order->status ){ 953 954 $session_id = (isset($decoded[‘data’][‘object’][‘id’]) && !empty($session_id)) ? $decoded[‘data’][‘object’][‘id’] : '’; 955 if(empty($session_id)){ 956 return; 957 } 958 $session = \Stripe\Checkout\Session::retrieve($session_id); 959 960 $intent = get_post_meta( $order_id, '_eh_stripe_payment_intent’, true); 961 if($intent == $session->payment_intent){ 962 $order->update_status( 'cancelled’, __( 'Stripe checkout abandoned.’, ‘payment_gateway_stripe_and_woocommerce_integration’ )); 963 905 break; 906 907 908 case 'source.chargeable’: 909 910 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 911 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 912 } 913 elseif(isset($decoded[‘data’][‘object’][‘redirect’][‘return_url’]) && !empty($decoded[‘data’][‘object’][‘redirect’][‘return_url’])){ 914 $return_url = $decoded[‘data’][‘object’][‘redirect’][‘return_url’]; 915 $arr_parts = wp_parse_url($return_url); 916 if(isset($arr_parts) && !empty($arr_parts) && isset($arr_parts[‘query’]) && !empty($arr_parts[‘query’])){ 917 wp_parse_str($arr_parts[‘query’], $arr_params); 918 if(!empty($arr_params) && isset($arr_params[‘order_id’]) && !empty($arr_params[‘order_id’])){ 919 $order_id = $arr_params[‘order_id’]; 964920 } 965921 } 966922 } 967 } 968 969 break; 970 default: 971 // code… 972 break; 973 } 923 if(isset($order_id) && !empty($order_id)){ 924 $source_id = sanitize_text_field($decoded[‘data’][‘object’][‘id’]); 925 926 $order = wc_get_order( $order_id ); 927 if($order && $order->has_status(‘on-hold’)){ 928 929 //check stripe vendor folder is exist 930 if (!class_exists(‘Stripe\Stripe’)) { 931 include(EH_STRIPE_MAIN_PATH . “vendor/autoload.php”); 932 } 933 $objKlarna = new EH_Klarna_Gateway(); 934 935 //check the source stats is chargeable 936 $source_response = \Stripe\Source::retrieve($source_id); 937 if (isset($source_response->status) && !empty($source_response->status) && ‘chargeable’ == $source_response->status) { 938 939 $charge_response = \Stripe\Charge::create($objKlarna->eh_make_charge_params( $order, $source_response->id), array( 940 ‘idempotency_key’ => $order->get_order_key() 941 )); 942 943 $objKlarna->eh_process_payment_response($charge_response, $order, true); 944 } 945 946 } 947 948 } 949 950 951 break; 952 953 case 'checkout.session.expired’: 954 if (isset($decoded[‘data’][‘object’][‘metadata’][‘order_id’]) && !empty($decoded[‘data’][‘object’][‘metadata’][‘order_id’])) { 955 $order_id = $decoded[‘data’][‘object’][‘metadata’][‘order_id’]; 956 } 957 elseif(isset($decoded[‘data’][‘object’][‘success_url’]) && !empty($decoded[‘data’][‘object’][‘success_url’])){ 958 $arr_parts = wp_parse_url($decoded[‘data’][‘object’][‘success_url’]); 959 if(isset($arr_parts) && !empty($arr_parts) && isset($arr_parts[‘query’]) && !empty($arr_parts[‘query’])){ 960 wp_parse_str($arr_parts[‘query’], $arr_params); 961 if(!empty($arr_params) && isset($arr_params[‘order_id’]) && !empty($arr_params[‘order_id’])){ 962 $order_id = $arr_params[‘order_id’]; 963 } 964 } 965 } 966 if(isset($order_id) && !empty($order_id)){ 967 $order = wc_get_order( $order_id ); 968 if($order){ 969 if(‘eh_stripe_checkout’ === $order->get_payment_method() && ‘processing’ != $order->status && ‘completed’ != $order->status ){ 970 971 $session_id = (isset($decoded[‘data’][‘object’][‘id’]) && !empty($session_id)) ? $decoded[‘data’][‘object’][‘id’] : '’; 972 if(empty($session_id)){ 973 return; 974 } 975 $session = \Stripe\Checkout\Session::retrieve($session_id); 976 977 $intent = get_post_meta( $order_id, '_eh_stripe_payment_intent’, true); 978 if($intent == $session->payment_intent){ 979 $order->update_status( 'cancelled’, __( 'Stripe checkout abandoned.’, ‘payment_gateway_stripe_and_woocommerce_integration’ )); 980 981 } 982 } 983 } 984 } 985 986 break; 987 default: 988 // code… 989 break; 990 } 991 } 992 974993 } 975994 976 } 995 } catch(\UnexpectedValueException $e) { 996 // Invalid payload 997 http_response_code(400); 998 exit(); 999 } catch(\SignatureVerificationException $e) { 1000 // Invalid signature 1001 http_response_code(400); 1002 exit(); 1003 } 1004 catch(\Stripe\Exception\SignatureVerificationException $e) { 1005 // Invalid signature 1006 http_response_code(400); 1007 exit(); 1008 } 1009 catch(Exception $e){ 1010 http_response_code(400); 1011 exit(); 1012 } 1013 9771014 9781015 die;

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907