Stripe Secret Key is exposed in the front-end

  • The following file plugs the secret key into the front end:
    wp-content/plugins/fundpress/inc/gateways/stripe/class-dn-payment-stripe.php (Line 270).

    Upon inspection of the source for a page, the following is exposed the front end:
    var Donate_Stripe_Settings = {“Secret_Key”:”sk_live_[key redacted]”}

    This information should NOT be publicly exposed.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter johnnydarkko

    (@johnnydarkko)

    I found that removing line 270 of that code that adds the stripe data script addresses the issue. Tested and verified that payments are going through successfully on our site. Might need more insight from the plugin developer here.

    This is still an issue, even after upgrading to latest 1.8 version, which supposedly was released specifically to address this vulnerability.

    The new updates don’t have the exact same settings, but the end result is still an exposure and leaking of secret and publish keys on the website (ie, /cart page).

    260 if ( !$this->is_enable )
    261 return;
    262
    263 $stripe = apply_filters( ‘donate_stripe_payment_object’, array(
    264 ‘Secret_Key’ => $this->secret_key,
    265 ‘Publish_Key’ => $this->publish_key,
    266 ‘key_missing’ => __( ‘Stripe key is expired. Please contact administrator to do this payment gateway’, ‘fundpress’ )
    267 ) );
    268
    269 wp_register_script( ‘donate_payment_stripe’, TP_DONATE_INC_URI . ‘/gateways/stripe/jquery.payment.min.js’, array(), TP_DONATE_VER, true );
    270 wp_localize_script( ‘donate_payment_stripe’, ‘Donate_Stripe_Settings’, $stripe );
    271
    272 wp_enqueue_script( ‘donate_payment_stripe’ );
    273 }

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Stripe Secret Key is exposed in the front-end’ is closed to new replies.