The plugin does not prevent unauthenticated attackers from enumerating a shopβs coupon codes and values via GraphQL.
The vulnerability exists due to the plugin only preventing users from leaking coupons using the βcouponsβ aggregate field, and not the regular βcouponβ field. Given a valid coupon id, any unauthenticated user can make this GraphQL call and get the coupon code associated with it. Please note that the coupon ids are in the format - base64(shop_coupon:x), where x is just a 2-3 digit integer and hence easy to enumerate. query{ coupon(id:βc2hvcF9jb3Vwb246MTk=β){ amount code } } Final URL should look like this: http://vulnerable-site.tld/graphql?query=query{coupon(id:βc2hvcF9jb3Vwb246MTIzβ){amount code}}
CPE | Name | Operator | Version |
---|---|---|---|
wp-graphql-woocommerce | eq | * |