cleantalk
Vulnerabilities and Security Researches

Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, CVE-2024-8541

CVE, Research URL

CVE-2024-8541

Home page URL

Security reports for Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts

Application

Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts

Published on
Oct 16, 2024
Research Description
The Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link. Please note that this is only exploitable when the 'Leave a Review' notice is present, which occurs after 100 orders are made and disappears after a user dismisses the notice.
Affected versions
Min -, max 2.6.6.
Status
vulnerable
Previous vulnerability researches
Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts (CVE-2020-36834) , May 07, 2025
Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts (CVE-2022-2090) , Jun 07, 2024
Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts (CVE-2024-8541) , Oct 16, 2024
Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts (990b5399af40307881e6b85b4657b12b43e1bc31) , Jun 07, 2024
New vulnerability
CarDealerPress (CVE-2025-3860) , May 08, 2025
Crossword Compiler Puzzles (CVE-2025-46493) , May 08, 2025
Frontend Dashboard (CVE-2025-4104) , May 08, 2025
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce (CVE-2025-0671) , May 08, 2025
Pods – Custom Content Types and Fields (CVE-2025-1446) , May 08, 2025