WordPress Plugin Vulnerabilities
WPGraphQL WooCommerce < 0.12.4 - Unauthenticated Coupon Codes Disclosure
Description
The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.
Proof of Concept
The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field. Given a valid coupon id, any unauthenticated user can make this GraphQL call and get the coupon code associated with it. Please note that the coupon ids are in the format - base64(shop_coupon:x), where x is just a 2-3 digit integer and hence easy to enumerate. query{ coupon(id:"c2hvcF9jb3Vwb246MTk="){ amount code } } Final URL should look like this: http://vulnerable-site.tld/graphql?query=query{coupon(id:"c2hvcF9jb3Vwb246MTIz"){amount code}}
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Rohan Pagey
Submitter
Rohan Pagey
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-07-26 (about 1 years ago)
Added
2022-07-26 (about 1 years ago)
Last Updated
2023-07-27 (about 9 months ago)