Category Discount Woocommerce < 4.13 – Missing Authorization via wpcd_save_discount() | CVE 2024-0617 | Plugin Vulnerabilities

Description

The Category Discount Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpcd_save_discount() function in all versions up to, and including, 4.12. This makes it possible for unauthenticated attackers to modify product category discounts that could lead to loss of revenue.

Affects Plugins

woo-product-category-discount

Fixed in 4.13

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/996b44bb-d1e0-4f82-b8ee-a98b0ae994f9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

7b974706-01af-4fac-9b94-00f63d599320

Timeline

Publicly Published

2024-01-24 (about 2 years ago)

Added

2024-01-24 (about 2 years ago)

Last Updated

2024-01-24 (about 2 years ago)

Other

Published

Title

Published

2025-04-30

Title

Page View Count 2.8.0 - 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

Published

2025-12-27

Title

Event Organiser <= 3.12.8 - Missing Authorization

Published

2025-06-05

Title

WP AutoKeyword <= 1.0 - Missing Authorization

Published

2024-04-05

Title

Easy Social Share Buttons < 9.5 - Missing Authorization

Published

2026-02-13

Title

MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection