Magento 2.3.4, Stripe Payment (Pre 1.8.8).
8th July 2020 Stripe notified us via email about a known cross scripting exploit and vulnerability and that we needed to upgrade.
Attempts to upgrade from the Cryoznic version of the Stripe plugin to the New Official Stripe plugin failed.
Security vulnerability in the Stripe plugin.
What we tried:
- Deleting previous instances of the plugin (files and database)
- Installing on clean Magento local version as per the install/migrate link here
Solution for this case:
Currently preparing fix and due to appear shortly.
'We’ve discovered a security issue with the Magento plugin that you use to accept payments with Stripe. We’ve fixed this issue in the latest version. You should update your plugin as soon as possible. Here’s how to update: https://stripe.com/docs/plugins/magento/install?platform=magento2#migration
In versions prior to 1.8.8, your Magento webstore was vulnerable to an attacker who could potentially inject code to see your customers’ details (called cross-site scripting), including addresses or card tokens.'