CVE-2024-13520

The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'update_voucher_price', 'update_voucher_date', 'update_voucher_note' functions in all versions up to, and including, 4.4.6. This makes it possible for unauthenticated attackers to update the value, expiration date, and user note for any gift voucher.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L30	Product
https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L5	Product
https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L56	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/190a21cd-9716-4a57-a793-63309c339427?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2025-02-20 10:15

Updated : 2025-02-25 20:55

NVD link : CVE-2024-13520

Mitre link : CVE-2024-13520

CVE.ORG link : CVE-2024-13520

JSON object : View

Products Affected

codemenschen

gift_vouchers

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-13520", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-02-20T10:15:10.167", "references": [{"url": "https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L30", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L5", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L56", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/190a21cd-9716-4a57-a793-63309c339427?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'update_voucher_price', 'update_voucher_date', 'update_voucher_note' functions in all versions up to, and including, 4.4.6. This makes it possible for unauthenticated attackers to update the value, expiration date, and user note for any gift voucher."}, {"lang": "es", "value": "El complemento Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos o a la p\u00e9rdida de datos debido a la falta de una comprobaci\u00f3n de capacidad en las funciones 'update_voucher_price', 'update_voucher_date' y 'update_voucher_note' en todas las versiones hasta la 4.4.6 incluida. Esto permite que atacantes no autenticados actualicen el valor, la fecha de vencimiento y la nota de usuario de cualquier vale de regalo."}], "lastModified": "2025-02-25T20:55:11.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "D455C607-C1F0-4A84-A7A0-C304FF17DB91", "versionEndIncluding": "4.4.6"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}