Unauthorized Data Modification in WooCommerce Gift Card Plugin by WordPress
CVE-2024-11423
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 8 January 2025
Badges
Summary
The Ultimate Gift Cards for WooCommerce plugin facilitates the creation and management of digital gift cards for e-commerce sites. However, a security flaw exists due to the absence of proper capability checks on multiple REST API endpoints (such as /wp-json/gifting/recharge-giftcard). This vulnerability enables attackers without authentication to alter gift card balances, recharge gift cards without payment, and unlawfully reduce gift card values, posing significant risks to both merchants and customers.
Affected Version(s)
Gift Cards for WooCommerce Pro * <= 2.9.1
Ultimate Gift Cards for WooCommerce β Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates * <= 3.0.6
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved