CVE-2024-0617 in Category Discount Woocommerce Plugininfo

Summary

by MITRE • 01/25/2024

The Category Discount Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpcd_save_discount() function in all versions up to, and including, 4.12. This makes it possible for unauthenticated attackers to modify product category discounts that could lead to loss of revenue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified in CVE-2024-0617 affects the Category Discount Woocommerce plugin for WordPress, representing a critical security flaw that undermines the integrity of e-commerce operations. This issue stems from a fundamental lack of access control validation within the plugin's codebase, specifically within the wpcd_save_discount() function that handles discount modifications. The absence of proper capability checks creates an exploitable pathway where malicious actors can manipulate product category discounts without authentication, potentially resulting in significant financial losses for affected merchants.

The technical nature of this vulnerability aligns with CWE-284, which describes improper access control issues where applications fail to properly verify user permissions before allowing sensitive operations. The flaw exists in the plugin's logic where the wpcd_save_discount() function does not validate whether the requesting user possesses the necessary administrative privileges to modify discount configurations. This missing validation allows any unauthenticated user to submit requests that alter discount parameters, effectively bypassing the intended security boundaries that should protect commerce-related data modifications.

From an operational perspective, this vulnerability poses substantial risks to online retailers using the affected plugin version 4.12 or earlier. Attackers can exploit this weakness to manipulate discount values for product categories, potentially creating unauthorized promotional offers or removing existing discounts entirely. The impact extends beyond simple revenue loss, as these modifications can disrupt pricing strategies, affect inventory management systems, and compromise customer trust in the platform's pricing integrity. The vulnerability's unauthenticated nature means that attackers do not require any credentials or prior access to the system, making it particularly dangerous for widespread exploitation.

The attack surface for this vulnerability is significant within the WordPress ecosystem, particularly affecting businesses that rely on Woocommerce for their online commerce operations. The ATT&CK framework categorizes this as a privilege escalation technique where attackers leverage missing access controls to gain unauthorized modification capabilities. Organizations running affected plugin versions face potential financial damage through manipulated discount structures that could lead to revenue leakage, competitive pricing disruptions, and operational complications in their e-commerce platforms.

Security mitigation strategies should prioritize immediate plugin updates to versions that address the capability check deficiency in the wpcd_save_discount() function. System administrators should also implement additional monitoring for unusual discount modification patterns and consider temporary access restrictions to administrative functions until the vulnerability is fully resolved. The remediation process requires careful attention to ensure that all plugin components are updated consistently, as partial updates may leave systems vulnerable to further exploitation. Organizations should conduct thorough security assessments of their e-commerce infrastructure to identify any other potential access control vulnerabilities that could compound the risks associated with this specific flaw.

Responsible

Wordfence

Reservation

01/16/2024

Disclosure

01/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00490

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!