CVE-2020-36841 MEDIUM

CVE-2020-36841: WooCommerce Smart Coupons <= 4.6.0 - Unauthenticated Coupon Creation

Vendor Woocommerce

Product WooCommerce Smart Coupons

Weakness CWE-285

Published October 16, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront.

Key dates

02Disclosure timeline

October 16, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-36841 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

CVE-2020-36841: WooCommerce Smart Coupons <= 4.6.0 - Unauthenticated Coupon Creation

01Description

02Disclosure timeline

03References

04Related CVE