CVE-2020-36841

MEDIUM Year: 2020
CVSS v3 Score
5.3
Medium
Weakness Type
CWE-285
View all →

Vulnerability Description

The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront.

Related Vulnerabilities

CVE-2016-5063

MEDIUM
CVSS:5.3(Medium)

The RSCD agent in BMC Server Automation before 8.6 SP1 Patch 2 and 8.7 before Patch 3 on Windows might allow remote attackers to bypass authorization checks and make an RPC call via unspecified vector...

CWE-2852016

CVE-2016-7651

MEDIUM
CVSS:5.3(Medium)

An issue was discovered in certain Apple products. iOS before 10.2 is affected. watchOS before 3.1.1 is affected. The issue involves the "Accounts" component, which allows local users to bypass intend...

CWE-2852016

CVE-2016-9938

MEDIUM
CVSS:5.3(Medium)

An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip...

CWE-2852016

CVE-2018-1113

MEDIUM
CVSS:5.3(Medium)

setup before version 2.11.4-1.fc28 in Fedora and Red Hat Enterprise Linux added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemo...

CWE-2852018

CVE-2018-3778

MEDIUM
CVSS:5.3(Medium)

Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not authorized.

CWE-2852018

CVE-2018-3829

MEDIUM
CVSS:5.3(Medium)

In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous run...

CWE-2852018