CVE-2024-13520

MEDIUM

WooCommerce Gift Cards <4.4.6 - Info Disclosure

Title source: llm

Description

The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'update_voucher_price', 'update_voucher_date', 'update_voucher_note' functions in all versions up to, and including, 4.4.9. This makes it possible for unauthenticated attackers to update the value, expiration date, and user note for any gift voucher.

References (5)

Core 5

Core References

https://plugins.trac.wordpress.org/changeset/3246800/

Product

https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L30

Product

https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L5

Product

https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L56

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/190a21cd-9716-4a57-a793-63309c339427?source=cve

Scores

CVSS v3 5.3

EPSS 0.0029

EPSS Percentile 20.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

codemenschen/Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) < 4.4.9

codemenschen/gift_vouchers < 4.4.6

Published Feb 20, 2025

Tracked Since Feb 18, 2026