Ultimate Gift Cards for WooCommerce <= 3.2.4 - Missing Authorization
Description
The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.2.4What Changed in the Fix
Changes introduced in v3.2.5
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-24375 - Missing Authorization in Ultimate Gift Cards for WooCommerce ## 1. Vulnerability Summary The **Ultimate Gift Cards for WooCommerce** plugin (versions <= 3.2.4) contains a missing authorization vulnerability within its onboarding and notice management …
Show full research plan
Vulnerability Research Plan: CVE-2026-24375 - Missing Authorization in Ultimate Gift Cards for WooCommerce
1. Vulnerability Summary
The Ultimate Gift Cards for WooCommerce plugin (versions <= 3.2.4) contains a missing authorization vulnerability within its onboarding and notice management logic. Specifically, the plugin registers several AJAX handlers using the wp_ajax_nopriv_ prefix, making them accessible to unauthenticated users. These handlers lack both capability checks (e.g., current_user_can('manage_options')) and nonce verification, allowing any visitor to modify plugin options or dismiss administrative alerts.
The primary vulnerable component is the Makewebbetter_Onboarding_Helper class, which handles the initial plugin setup wizard.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Actions:
send_onboarding_dataandskip_onboarding_popup - Vulnerability Type: Missing Authorization (and Missing Nonce Check)
- Authentication: None (Unauthenticated)
- Preconditions: The plugin must be active.
3. Code Flow
- Registration: In
includes/class-makewebbetter-onboarding-helper.php, the constructor registers the following hooks:add_action( 'wp_ajax_send_onboarding_data', array( $this, 'send_onboarding_data' ) ); add
Summary
The Ultimate Gift Cards for WooCommerce plugin suffers from missing authorization and nonce verification in several AJAX endpoints, most notably during the onboarding process and smart coupon migration. This allows unauthenticated or low-privileged attackers to trigger sensitive administrative tasks, such as migrating database records or modifying plugin configuration data.
Vulnerable Code
// includes/class-makewebbetter-onboarding-helper.php line 135 // Ajax to send data. add_action( 'wp_ajax_send_onboarding_data', array( $this, 'send_onboarding_data' ) ); add_action( 'wp_ajax_nopriv_send_onboarding_data', array( $this, 'send_onboarding_data' ) ); // Ajax to Skip popup. add_action( 'wp_ajax_skip_onboarding_popup', array( $this, 'skip_onboarding_popup' ) ); add_action( 'wp_ajax_nopriv_skip_onboarding_popup', array( $this, 'skip_onboarding_popup' ) ); --- // admin/class-woocommerce-gift-cards-lite-admin.php around line 2556 /** * Migrate smart coupons to giftcards * * @name wps_wgm_migrate_smart_coupons_to_giftcards() */ public function wps_wgm_migrate_smart_coupons_to_giftcards() { // No check_ajax_referer or current_user_can checks before performing DB operations global $wpdb; // ... (logic continues)
Security Fix
@@ -2556,6 +2556,12 @@ * @name wps_wgm_migrate_smart_coupons_to_giftcards() */ public function wps_wgm_migrate_smart_coupons_to_giftcards() { + + check_ajax_referer( 'wps-wgm-verify-nonce', 'nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + return; + } + global $wpdb; $general_settings = get_option( 'wps_wgm_general_settings', array() ); @@ -496,7 +502,10 @@ "click", "#wps_wgm_transfer_smart_coupons", function() { - var data = { action:'wps_migrate_smart_coupons_to_giftcards' }; + var data = { + action:'wps_migrate_smart_coupons_to_giftcards', + nonce : wps_wgc.wps_wgm_nonce + }; $("#wps_wgm_loader_other").show(); $.ajax({
Exploit Outline
The exploit involves sending an unauthenticated or low-privileged AJAX request to the WordPress backend. An attacker can target `/wp-admin/admin-ajax.php` with the POST action `wps_migrate_smart_coupons_to_giftcards` or onboarding-related actions such as `send_onboarding_data`. Because the plugin uses `wp_ajax_nopriv_` for onboarding and fails to verify user capabilities or nonces in the migration handler, the attacker can execute these functions to manipulate database state or plugin settings without providing any valid administrative credentials.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.