CVE-2020-36834

MEDIUM EXPLOITED

Discount Rules for WooCommerce <2.0.2 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-36834 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Discount Rules for WooCommerce plugin for WordPress is vulnerable to missing authorization via several AJAX actions in versions up to, and including, 2.0.2 due to missing capability checks on various functions. This makes it possible for subscriber-level attackers to execute various actions and perform a wide variety of actions such as modifying rules and saving configurations.

Scores

CVSS v3 6.3
EPSS 0.0034
EPSS Percentile 25.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2024-10-15
CWE
CWE-862
Status published
Products (2)
flycart/Discount Rules for WooCommerce < 2.0.2
flycart/Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons < 2.0.2
Published Oct 16, 2024
Tracked Since Feb 18, 2026