WordPress Plugin Vulnerabilities

Convertful – Your Ultimate On-Site Conversion Tool < 2.6 - Missing Authorization via add_woo_coupon

Description

The Convertful – Your Ultimate On-Site Conversion Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_woo_coupon' REST function in versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to generate coupons for arbitrary amounts.

Affects Plugins

Plugin icon
convertful
Fixed in 2.6

References

CVE
CVE-2023-46605
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e8c311e-7cf2-4aaf-8059-30f872475ee5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
e4bda3de-6689-4e11-960e-af8722a3d46b

Timeline

Publicly Published
2023-10-24 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-02-20
Title
Image Optimizer by Elementor < 1.7.2 - Missing Authorization
Published
2024-08-19
Title
GiveWP – Donation Plugin and Fundraising Platform < 3.14.0 - Missing Authorization to Unauthenticated Event Settings Update
Published
2026-01-28
Title
WPBookit Pro <= 1.6.18 - Missing Authorization
Published
2025-10-19
Title
BuddyForms <= 2.9.0 - Missing Authorization
Published
2025-10-02
Title
SiteAlert (Formerly WP Health) <= 1.9.8 - Missing Authorization to Unauthenticated Site Health Information Exposure