CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-13520: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.6 - Missing Authorization to Unauthenticated Price, Date, and Note Updates

5.3 CVSS

Description

The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'update_voucher_price', 'update_voucher_date', 'update_voucher_note' functions in all versions up to, and including, 4.4.6. This makes it possible for unauthenticated attackers to update the value, expiration date, and user note for any gift voucher.

Classification

CVE ID: CVE-2024-13520

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor: codemenschen

Product: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 12.09% (scored less or equal to compared to others)

EPSS Date: 2025-03-21 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/190a21cd-9716-4a57-a793-63309c339427?source=cve
https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L5
https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L30
https://plugins.trac.wordpress.org/browser/gift-voucher/trunk/include/edit-order-voucher.php#L56

Timeline

2025-02-21 00:23:34 UTC
CVE

Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.6 - Missing Authorization to Unauthenticated Price, Date, and Note Updates