WooCommerce Discount Rules Vulnerable to Missing Authorization
CVE-2020-36834

6.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Discount Rules For WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, Bogo Coupons
Vendor: CVE Published:; 16 October 2024

Summary

The Discount Rules for WooCommerce plugin used in WordPress environments exhibits a critical authorization flaw through multiple AJAX actions. The vulnerability exists in versions up to and including 2.0.2, where a lack of proper capability checks allows subscriber-level attackers to exploit the system. This oversight permits unauthorized individuals to modify discount rules and save configurations, thereby affecting the integrity of the e-commerce setup and potentially leading to unauthorized transactions or data manipulation.

Affected Version(s)

Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons * <= 2.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://patchstack.com/articles/multiple-vulnerabilities-...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Patchstack