WPGraphQL WooCommerce < 0.12.4 – Unauthenticated Coupon Codes Disclosure | CVE 2022-1563 | Plugin Vulnerabilities

Description

The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.

Proof of Concept

The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field.

Given a valid coupon id, any unauthenticated user can make this GraphQL call and get the coupon code associated with it. 

Please note that the coupon ids are in the format - base64(shop_coupon:x), where x is just a 2-3 digit integer and hence easy to enumerate.

query{
  coupon(id:"c2hvcF9jb3Vwb246MTk="){
    amount
    code
  }
}

Final URL should look like this: http://vulnerable-site.tld/graphql?query=query{coupon(id:"c2hvcF9jb3Vwb246MTIz"){amount code}}

Affects Plugins

wp-graphql-woocommerce

Fixed in 0.12.4

References

CVE

URL

https://github.com/wp-graphql/wp-graphql-woocommerce/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rohan Pagey

Submitter

Rohan Pagey

Verified

Yes

WPVDB ID

19138092-50d3-4d63-97c5-aa8e1ce39456

Timeline

Publicly Published

2022-07-26 (about 1 years ago)

Added

2022-07-26 (about 1 years ago)

Last Updated

2023-07-27 (about 9 months ago)

Other

Published

Title

Published

2024-04-17

Title

LoginPress Pro <= 2.5.3 - Captcha Bypass

Published

2021-02-10

Title

Map Block for Google Maps < 1.32 - Unauthorised Google API Key change

Published

2021-08-18

Title

Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls

Published

2024-04-15

Title

Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.3.2 - Sensitive Information Exposure via Log Files

Published

2022-01-04

Title

Advanced Cron Manager - Subscriber+ Arbitrary Events/Schedules Creation/Deletion