CVE-2024-7027

HIGH

WooCommerce - PDF Vouchers <4.9.3 - Auth Bypass

Title source: llm

Description

The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the user being supplied during a QR code login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing Voucher Vendor user on the site, if they have access to the user id.

References (2)

Core 2

Core References

Various Sources

https://codecanyon.net/item/woocommerce-pdf-vouchers-ultimate-gift-cards-wordpress-plugin/7392046

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b6cf27d9-c0be-4cff-8867-19297f6d79d7?source=cve

Scores

CVSS v3 7.3

EPSS 0.0041

EPSS Percentile 32.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-288

Status published

Products (1)

WPWeb/WooCommerce - PDF Vouchers < 4.9.3

Published Jul 24, 2024

Tracked Since Feb 18, 2026