WPGraphQL WooCommerce < 0.12.4 – Unauthenticated Coupon Codes Disclosure | CVE 2022-1563

Description

The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.

Proof of Concept

The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field.

Given a valid coupon id, any unauthenticated user can make this GraphQL call and get the coupon code associated with it. 

Please note that the coupon ids are in the format - base64(shop_coupon:x), where x is just a 2-3 digit integer and hence easy to enumerate.

query{
  coupon(id:"c2hvcF9jb3Vwb246MTk="){
    amount
    code
  }
}

Final URL should look like this: http://vulnerable-site.tld/graphql?query=query{coupon(id:"c2hvcF9jb3Vwb246MTIz"){amount code}}