CVE-2024-0870 MEDIUM

CVE-2024-0870: YITH WooCommerce Gift Cards <= 4.12.0 - Missing Authorization to Unauthenticated WooCommerce Settings Update

Vendor Yithemes

Product YITH WooCommerce Gift Cards

Weakness CWE-285

Published May 14, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The YITH WooCommerce Gift Cards plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_mail_status' and 'save_email_settings' functions in all versions up to, and including, 4.12.0. This makes it possible for unauthenticated attackers to modify WooCommerce settings.

Key dates

02Disclosure timeline

May 14, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-0870

Related vulnerabilities

04Related CVE

CVE-2026-7292 o2oa NodeAgent NodeAgent.java syncFile improper authorization CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover CVE-2023-44125 Personalized service - Theft and (over-)write of arbitrary files with system privilege via PendingIntent hijacking CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right CVE-2022-39340 OpenFGA Information Disclosure