Masteriyo LMS Authorization Bypass Vulnerability in Stripe Webhook Processing

A vulnerability allowing authorization bypass has been identified in the Masteriyo LMS WordPress plugin, specifically in versions through 2.1.7. The issue arises from inadequate verification of webhook signatures in the Stripe payment processing. The webhook endpoint can handle unauthenticated requests and only checks signatures if the 'webhook_secret' is set and the 'HTTP_STRIPE_SIGNATURE' header is included. Since the 'webhook_secret' is empty by default, this flaw enables attackers to send unverified JSON payloads, manipulating order completion statuses without payment and accessing restricted course materials.

Impact

Exploitation of this vulnerability allows unauthorized users to complete orders fraudulently, bypassing payment, and gain access to paid course content.

Reproduction

To reproduce this vulnerability, send a request to the Stripe webhook endpoint with a payload that includes an 'order_id' in the metadata. Ensure that the 'webhook_secret' is not set, allowing the request to be processed without signature verification.

Remediation

Users are advised to update the Masteriyo LMS Stripe addon to version 2.1.8 or later, where this vulnerability has been addressed.