YITH WooCommerce Gift Cards < 4.13.0 – Missing Authorization to Unauthenticated WooCommerce Settings Update | CVE 2024-0870 | Plugin Vulnerabilities

Description

The YITH WooCommerce Gift Cards plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_mail_status' and 'save_email_settings' functions in all versions up to, and including, 4.12.0. This makes it possible for unauthenticated attackers to modify WooCommerce settings.

Affects Plugins

yith-woocommerce-gift-cards

Fixed in 4.13.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca1f0dc6-c0bc-4e9f-b3b6-d6274aa7a7db

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

c5187d5c-d2c7-48fa-8770-a09404d59dc8

Timeline

Publicly Published

2024-05-13 (about 2 years ago)

Added

2024-05-13 (about 2 years ago)

Last Updated

2024-05-13 (about 2 years ago)

Other

Published

Title

Published

2025-09-14

Title

WPLMS < 1.9.9.8 - Missing Authorization

Published

2024-07-04

Title

The Post Grid < 7.7.5 - Missing Authorization via save_block_css

Published

2024-03-14

Title

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 5.3.1.0 - Authenticated (Subscriber+) Privilege Escalation

Published

2025-12-12

Title

Mavix Education < 1.1 - Missing Authorization to Authenticated (Subscriber+) 'Creativ Demo Importer' Plugin Activation

Published

2024-01-05

Title

Booster Plus for WooCommerce < 7.1.2 - Missing Authorization to Arbitrary Page/Post Deletion