Conversation
supportThe following file plugs the secret key into the front end: wp-content/plugins/fundpress/inc/gateways/stripe/class-dn-payment-stripe.php (Line 270). Upon inspection of the source for a page, the following is exposed the front end: var Donate_Stripe_Settings = {“Secret_Key”:”sk_live_[key redacted]”} This information should NOT be publicly exposed.
I found that removing line 270 of that code that adds the stripe data script addresses the issue. Tested and verified that payments are going through successfully on our site. Might need more insight from the plugin developer here.
This is still an issue, even after upgrading to latest 1.8 version, which supposedly was released specifically to address this vulnerability. The new updates don’t have the exact same settings, but the end result is still an exposure and leaking of secret and publish keys on the website (ie, /cart page). 260 if ( !$this->is_enable ) 261 return; 262 263 $stripe = apply_filters( ‘donate_stripe_payment_object’, array( 264 ‘Secret_Key’ => $this->secret_key, 265 ‘Publish_Key’ => $this->publish_key, 266 ‘key_missing’ => __( ‘Stripe key is expired. Please contact administrator to do this payment gateway’, ‘fundpress’ ) 267 ) ); 268 269 wp_register_script( ‘donate_payment_stripe’, TP_DONATE_INC_URI . ‘/gateways/stripe/jquery.payment.min.js’, array(), TP_DONATE_VER, true ); 270 wp_localize_script( ‘donate_payment_stripe’, ‘Donate_Stripe_Settings’, $stripe ); 271 272 wp_enqueue_script( ‘donate_payment_stripe’ ); 273 }
I found that removing line 270 of that code that adds the stripe data script addresses the issue. Tested and verified that payments are going through successfully on our site. Might need more insight from the plugin developer here.
This is still an issue, even after upgrading to latest 1.8 version, which supposedly was released specifically to address this vulnerability. The new updates don’t have the exact same settings, but the end result is still an exposure and leaking of secret and publish keys on the website (ie, /cart page). 260 if ( !$this->is_enable ) 261 return; 262 263 $stripe = apply_filters( ‘donate_stripe_payment_object’, array( 264 ‘Secret_Key’ => $this->secret_key, 265 ‘Publish_Key’ => $this->publish_key, 266 ‘key_missing’ => __( ‘Stripe key is expired. Please contact administrator to do this payment gateway’, ‘fundpress’ ) 267 ) ); 268 269 wp_register_script( ‘donate_payment_stripe’, TP_DONATE_INC_URI . ‘/gateways/stripe/jquery.payment.min.js’, array(), TP_DONATE_VER, true ); 270 wp_localize_script( ‘donate_payment_stripe’, ‘Donate_Stripe_Settings’, $stripe ); 271 272 wp_enqueue_script( ‘donate_payment_stripe’ ); 273 }