WordPress Plugin Vulnerabilities

Customer Reviews for WooCommerce < 5.47.0 - Missing Authorization to Authenticated (Subscriber+) Coupon Search

Description

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'woocommerce_json_search_coupons' function . This makes it possible for attackers with subscriber level access to view coupon codes.

Affects Plugins

Plugin icon
customer-reviews-woocommerce
Fixed in 5.47.0

References

CVE
CVE-2024-3869
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/881e8096-e75f-49a7-87ed-c230e93ea378

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Thura Moe Myint (mgthuramoemyint)
Verified
No
WPVDB ID
362bd431-c2a3-4936-ae0a-8efec24dfb96

Timeline

Publicly Published
2024-04-15 (about 2 years ago)
Added
2024-04-16 (about 2 years ago)
Last Updated
2024-04-16 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
WP AutoKeyword <= 1.0 - Missing Authorization
Published
2023-11-14
Title
avalex – Automatisch sichere Rechtstexte < 3.0.9 - Missing Authorization
Published
2025-08-11
Title
Thank You Page Customizer for WooCommerce – Increase Your Sales < 1.1.8 - Missing Authorization
Published
2025-11-17
Title
Live sales notification for WooCommerce < 2.3.40 - Missing Authorization to Unauthenticated Customer Data Exposure
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Missing Authorization to Category Deletion