Discount Rules for WooCommerce < 2.2.1 – Multiple Authorization Bypass | Plugin Vulnerabilities

Description

On August 20th 2020 WebARX disclosed multiple vulnerabilities affecting the Discount Rules for WooCommerce WordPress plugin, which were patched in version 2.1.0 (see references).

Some time after, the Wordfence Threat Intelligence Team discovered several additional authorization bypass vulnerabilities affecting the Discount Rules for WooCommerce WordPress plugin.

The bypasses could lead to Stored Cross-Site Scripting (XSS).

Affects Plugins

woo-discount-rules

Fixed in 2.2.1

References

URL

https://www.wordfence.com/blog/2020/09/high-severity-vulnerabilities-patched-in-discount-rules-for-woocommerce/

URL

https://www.webarxsecurity.com/multiple-vulnerabilities-in-discount-rules-for-woocommerce-plugin/

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Wordfence

Verified

No

WPVDB ID

50625e77-3560-4156-8b4a-e43fc0d0c89c

Timeline

Publicly Published

2020-09-17 (about 5 years ago)

Added

2020-09-17 (about 5 years ago)

Last Updated

2020-09-18 (about 5 years ago)

Other

Published

Title

Published

2024-12-11

Title

OAuth Single Sign On – SSO (OAuth Client) < 6.26.4 - Authentication Bypass

Published

2026-02-23

Title

WeDesignTech Ultimate Booking Addon <= 1.0.1 - Subscriber+ Authentication Bypass

Published

2013-03-24

Title

Backupbuddy - importbuddy.php Direct Request Remote Backup File Disclosure

Published

2024-10-25

Title

User Toolkit < 1.2.4 - Authenticated (Subscriber+) Authentication Bypass

Published

2025-04-09

Title

SureTriggers < 1.0.79 - Unauthenticated Admin User Creation