March 4

Voucher Creation Vulnerability Patched In WooCommerce Smart Coupons

WordPress Vulnerabilities


This post was originally published on this site

Description: Unauthenticated Voucher Creation
Affected Plugin: WooCommerce Smart Discount coupons
Affected Variations: <= 4.6.0
CVSS Score:
5.3 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/The:N
Patched Version: 4.6.5

Late last 30 days a patch premiered for WooCommerce Smart Coupons, a business WooCommerce plugin that assists store managers handle vouchers and present certificates. In vulnerable variations of the plugin, unauthenticated attackers could send themselves present certificates of any worth, which could become redeemed for products in love with the victim’s storefront.

This vulnerability was originally identified by Aaron Averbuch and his team at Bloomscape, who privately contacted us after disclosing the problem to the plugin’s programmers. A patch premiered the next day in WooCommerce Wise Coupons version 4.6.5. To safeguard our users, we launched a firewall guideline to block tries to exploit this flaw. Wordfence Premium customers already have usage of this rule, and websites still on the free of charge version will have the rule March 25, 2020, four weeks after it had been released.

We urge all WooCommerce Intelligent Coupons users to update to the most recent available version as quickly as possible to mitigate the chance of fraudulent gift certificates. Typical WordPress users revise commercial plugins much less reliably than those in the WordPress repository, and that tendency continues with this particular plugin. During this writing, almost nine out of ten websites using WooCommerce Smart Discount codes are still owning a vulnerable edition of the plugin.

Inside today’s posting, we examine the vulnerability and discuss how exactly to identify if your website offers been affected.

Vulnerability In Details

One of the top features of WooCommerce Wise Coupons allows store supervisors to generate gift certificates which may be emailed to clients. The interface because of this feature is just available to user functions with the manage_woocommerce capability, that is available automagically on the administrator and shop_manager functions.

Screenshot of the Send Store Credit interface

Screenshot of the Send Shop Credit interface.

This functionality was made vulnerable incidentally WooCommerce Smart Coupons handled inputs from that form. As the dashboard page because of this feature was limited to privileged customers, the plugin was hearing for submissions on every web page in wp-admin.

add_motion( 'admin_init', array( $this, 'woocommerce_voucher_admin_init' ) );
public functionality woocommerce_coupon_admin_init() 

The snippets above, taken from class-wc-sc-admin-pages.php, present how this insight is handled. The plugin registers the woocommerce_coupon_admin_init() functionality to WordPress’s admin_init hook. This functionality performs checks to find out whether to start out output buffering or sign up a CSV importer, but checks if it will send something special certificate.

It helps make this decision predicated on two $_Find parameters: action=sent_gift_certification and page=wc-smart-coupons. These parameters are normal in the WordPress dashboard, but accessing them straight will be insecure in cases like this. There’s zero validation a user has usage of the wc-smart-coupons page.

As we’ve reported in a number of cases recently, such seeing that the vulnerabilities in Email Subscribers & Newsletters and last week’s zero-day marketing campaign, the admin_init hook is obtainable to some of a web site’s visitors. Unauthenticated customers can deliver requests to /wp-admin/admin-post.php, that will satisfy requirements for is_admin() along with firing every functionality hooked to admin_init.  This, needless to say, includes woocommerce_coupon_admin_init().

By crafting a demand challenging essential parameters, attackers could generate and send themselves valid present certificates for a victim’s WooCommerce shop. This vulnerability has already been patched by WooCommerce Smart Coupons 4.6.5.

Remediation COULD BE Tricky

Internally, these gift certificates are believed coupons, as being a typical percentage-away from coupon you’d distribute for the promotion. They behave in different ways, with a value which can be spent rather than a reusable lower price, but are treated exactly the same within the WooCommerce user interface.

Screenshot of a summary of generated coupons.

Screenshot of a summary of generated coupons.

Unfortunately, this implies it’s extremely hard for the WooCommerce Wise Vouchers to invalidate any fraudulent shop credit that has been created through this vulnerability. In case a vulnerable web site had been exploited and shop credit generated, it could still be legitimate and redeemable following the site proprietor up-to-date the plugin. Each discount would need to end up being deleted by an administrator or store manager to avoid their use.

For shops that don’t utilize these present certificates, remediation is really as simple while deleting every voucher with the kind Store Credit score / Gift Certificate. Nevertheless, for sites that deliver store credit frequently, it could not be immediately very clear which coupons are reputable and that have been created fraudulently.

If you think store credit was made by way of a malicious user, you can find two methods for you to help identify which coupon codes are fraudulent.

Comparing Coupon Creation Periods With Access Logs

This method requires usage of your site’s accessibility logs. If you don’t understand how to access these, get in touch with your hosting company for assistance.

While this vulnerability allows discount coupons to end up being generated on unauthenticated /wp-admin endpoints, legitimate usage just sends requests to 1 location: /wp-admin/admin.php. This endpoint will be inaccessible to unauthenticated customers, so any discount codes generated by way of a request compared to that file are usually legitimate.

On another hand, coupons generated by requests to other locations, like /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, are most likely fraudulent.

For instance, the following string within an access log indicate an effort to exploit this vulnerability:

"POST /wp-admin/admin-post.php?web page=wc-smart-vouchers&action=sent_present_certificate HTTP/1.1"

The next one is really a legitimate entry:

"POST /wp-admin/admin.php?page=wc-smart-coupon codes&action=sent_present_certificate HTTP/1.1"

By comparing the timestamps of the log entries to the publish periods of suspicious coupons, it is possible to determine which to help keep and which to delete.

Checking WordPress Posting Metadata For Suspicious Email messages

This method requires usage of your site’s data source. If you don't learn how to access this, get in touch with your hosting supplier for assistance.

While the WooCommerce Wise Coupons user interface doesn’t instantly reveal where each discount was sent, this information is still stored inside the WordPress data source.

Search your web site’s wp_postmeta desk for suspicious customer_email entries with the query like the subsequent. (Note: Your web site’s data source prefix could be different, but we’ll utilize the default wp_ inside our examples.)

mysql> go for * from wp_postmeta where meta_key = 'customer_e-mail';
| meta_id | article_id | meta_crucial       | meta_value                                 |
|     168 |      54 | customer_e-mail | a:1:i:0;s:24:""; |
|     188 |      55 | consumer_email | a:1:i:0;s:23:"";  |
|     266 |      57 | customer_e-mail | a:1:i:0;s:22:"";   |
|     285 |      59 | customer_e-mail | a:1:i:0;s:21:"";    |
4 rows in established (0.00 sec)

In the illustration set above, we notice four coupons with various customer_e-mail values. A definite email sticks out: The post_id because of this coupon is definitely 55, so permit’s notice which promotion code that corresponds to:

mysql> go for post_name from wp_articles where ID = 55;
| post_title    |
| qvi93te4veedu |
1 row in place (0.00 sec)

Now we start to see the offending promotion code: qvi93te4veedu. With this we are able to delete the voucher, or investigate more to recognize any orders that shop credit might have been used on.

Not just about all malicious users possess quickly identifiable email addresses, nevertheless, you may also compare these email messages to other assets such as your email list and previous orders to recognize suspicious outliers.


  • February 20, 2020 – Vulnerability disclosed by Aaron Averbuch and his group at Bloomscape.
  • February 21, 2020 – WooCommerce Smart Coupon codes edition 4.6.5 launched to patch vulnerability.
  • February 24, 2020 – Firewall principle released to avoid exploitation against websites with Wordfence Superior.
  • March 25, 2020 – Firewall rule open to Wordfence free customers.


Vulnerabilities like this one, where functions are designed for privileged customers but are inadvertently still left open to attack, are usually unfortunately common. In case you are establishing WordPress plugins and designs, make sure to validate consumer capabilities directly for just about any privileged action. Hooking program code into admin_init, or wanting to secure efficiency with is_admin() checks, is dangerous and ineffective without executing these capabilities checks. To learn more on how best to check user features, go to the codex entry for current_user_can().

At this time, we’ve not really detected any malicious exercise targeting WooCommerce Smart Discount coupons. Having said that, it’s essential to up-date to the latest edition of the plugin as quickly as possible.

Wordfence Premium users already are protected from possible episodes. Sites on the free of charge version will have the rule on the time specified in the timeline above.

We will keep track of our network for just about any changes in action around this vulnerability, and can provide details because they emerge.

Thanks a lot again to Aaron Averbuch and his group at Bloomscape because of their discovery and disclosure of the issue. Additional because of QA Prospect Matt Rusnak for his help in vulnerability evaluation.


The post Coupon Creation Vulnerability Patched In WooCommerce Smart Coupons appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!