CVE-2024-11423
📋 TL;DR
This vulnerability allows unauthenticated attackers to manipulate gift card balances in WooCommerce stores using the Ultimate Gift Cards plugin. Attackers can recharge gift cards without payment or reduce balances without purchases. All WordPress sites using this plugin up to version 3.0.6 are affected.
💻 Affected Systems
- Ultimate Gift Cards for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create unlimited gift card balances, leading to significant financial loss through fraudulent purchases or cash-out schemes, potentially bankrupting the business.
Likely Case
Attackers exploit gift cards for free products/services, causing direct revenue loss and inventory depletion while undermining customer trust in the gift card system.
If Mitigated
With proper monitoring, unauthorized balance changes are detected quickly, limiting financial impact to small amounts before remediation.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to vulnerable REST API endpoints. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3212554/woo-gift-cards-lite/trunk/includes/giftcard-redeem-api-addon.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate Gift Cards for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.0.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable REST endpoints
allBlock access to the /wp-json/gifting/ REST API endpoints using web application firewall or .htaccess rules
# Apache .htaccess example
RewriteEngine On
RewriteRule ^wp-json/gifting/ - [F,L]
Disable plugin
WordPressTemporarily disable the Ultimate Gift Cards plugin until patched
wp plugin deactivate woo-gift-cards-lite
🧯 If You Can't Patch
- Implement strict rate limiting on /wp-json/ endpoints to prevent automated exploitation
- Monitor gift card balance changes and set alerts for unusual activity patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Ultimate Gift Cards for WooCommerce' version 3.0.6 or lowerCheck Version:
wp plugin list --name='woo-gift-cards-lite' --field=versionVerify Fix Applied:
Verify plugin version is 3.0.7 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/gifting/recharge-giftcard from unauthenticated users
- Sudden gift card balance changes without corresponding purchase transactions
Network Indicators:
- HTTP POST requests to gift card REST endpoints without authentication headers
- Unusual traffic patterns to /wp-json/gifting/* endpoints
SIEM Query:
source="web_access_logs" AND uri_path="/wp-json/gifting/*" AND http_method="POST" AND NOT (user_agent="WordPress/*" OR authenticated_user!="")🔗 References
- https://plugins.trac.wordpress.org/changeset/3212554/woo-gift-cards-lite/trunk/includes/giftcard-redeem-api-addon.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208474%40woo-gift-cards-lite&new=3208474%40woo-gift-cards-lite&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/836884b5-f547-4f50-8a97-5d910d877e5e?source=cve
