CVE-2020-36841

MEDIUM

WooCommerce Smart Coupons <4.6.0 - Auth Bypass

Title source: llm

Description

The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront.

References (2)

Core 2

Core References

Third Party Advisory

https://www.wordfence.com/blog/2020/03/coupon-creation-vulnerability-patched-in-woocommerce-smart-coupons/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/eeeb03f7-5f78-4462-b0b4-5080bbc419a3?source=cve

Scores

CVSS v3 5.3

EPSS 0.0021

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (1)

WooCommerce/WooCommerce Smart Coupons < 4.6.5

Published Oct 16, 2024

Tracked Since Feb 18, 2026