Unauthorized Gift Certificate Creation Vulnerability in WooCommerce Smart Coupons

CVE-2020-36841

5.3MEDIUM

Key Information

Vendor: WooCommerce
Status: WooCommerce Smart Coupons
Vendor: CVE Published:; 16 October 2024

Summary

The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront.

Affected Version(s)

WooCommerce Smart Coupons < 4.6.5

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 16, 2024
Vulnerability Reserved.
Oct 15, 2024
Disclosed
Mar 4, 2020
Discovered
Feb 20, 2020
Vendor Notified
Feb 20, 2020

Collectors

NVD DatabaseMitre Database

Credit

Aaron Averbuch