Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for discount_rules_for_woocommerce by flycart

    CVE-2024-8541 (GCVE-0-2024-8541)

    Vulnerability from nvd – Published: 2024-10-16 02:05 – Updated: 2026-04-08 16:45
    VLAI
    Title
    Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons <= 2.6.5 - Reflected Cross-Site Scripting
    Summary
    The Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link. Please note that this is only exploitable when the 'Leave a Review' notice is present, which occurs after 100 orders are made and disappears after a user dismisses the notice.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    flycart Discount Rules for WooCommerce Affected: 0 , ≤ 2.6.5 (semver)
    Create a notification for this product.
    Credits
    vgo0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8541",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:09:29.531367Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T14:09:37.495Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Discount Rules for WooCommerce",
              "vendor": "flycart",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "vgo0"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Discount Rules for WooCommerce \u2013 Create Smart WooCommerce Coupons \u0026 Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link. Please note that this is only exploitable when the \u0027Leave a Review\u0027 notice is present, which occurs after 100 orders are made and disappears after a user dismisses the notice."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:45:55.116Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3529044f-c3d8-4370-8ba5-9df0fb71ab3c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3149013/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woo-discount-rules/tags/2.6.5/v2/App/Views/Admin/review-notice.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-15T12:23:35.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Discount Rules for WooCommerce \u2013 Create Smart WooCommerce Coupons \u0026 Discounts, Bulk Discount, BOGO Coupons \u003c= 2.6.5 - Reflected Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8541",
        "datePublished": "2024-10-16T02:05:01.072Z",
        "dateReserved": "2024-09-06T18:28:20.243Z",
        "dateUpdated": "2026-04-08T16:45:55.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2090 (GCVE-0-2022-2090)

    Vulnerability from nvd – Published: 2022-07-17 10:35 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Woo Discount Rules < 2.4.2 - Reflected Cross-Site Scripting
    Summary
    The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin's discount rule page, leading to Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Discount Rules for WooCommerce Affected: 2.4.2 , < 2.4.2 (custom)
    Create a notification for this product.
    Credits
    ZhongFu Su(JrXnm) of WuHan University
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.180Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Discount Rules for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "2.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ZhongFu Su(JrXnm) of WuHan University"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin\u0027s discount rule page, leading to Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-17T10:35:45.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Woo Discount Rules \u003c 2.4.2 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2090",
              "STATE": "PUBLIC",
              "TITLE": "Woo Discount Rules \u003c 2.4.2 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Discount Rules for WooCommerce",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.4.2",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "ZhongFu Su(JrXnm) of WuHan University"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin\u0027s discount rule page, leading to Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2090",
        "datePublished": "2022-07-17T10:35:45.000Z",
        "dateReserved": "2022-06-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:44.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8541 (GCVE-0-2024-8541)

    Vulnerability from cvelistv5 – Published: 2024-10-16 02:05 – Updated: 2026-04-08 16:45
    VLAI
    Title
    Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons <= 2.6.5 - Reflected Cross-Site Scripting
    Summary
    The Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link. Please note that this is only exploitable when the 'Leave a Review' notice is present, which occurs after 100 orders are made and disappears after a user dismisses the notice.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    flycart Discount Rules for WooCommerce Affected: 0 , ≤ 2.6.5 (semver)
    Create a notification for this product.
    Credits
    vgo0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8541",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:09:29.531367Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T14:09:37.495Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Discount Rules for WooCommerce",
              "vendor": "flycart",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "vgo0"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Discount Rules for WooCommerce \u2013 Create Smart WooCommerce Coupons \u0026 Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link. Please note that this is only exploitable when the \u0027Leave a Review\u0027 notice is present, which occurs after 100 orders are made and disappears after a user dismisses the notice."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:45:55.116Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3529044f-c3d8-4370-8ba5-9df0fb71ab3c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3149013/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woo-discount-rules/tags/2.6.5/v2/App/Views/Admin/review-notice.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-15T12:23:35.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Discount Rules for WooCommerce \u2013 Create Smart WooCommerce Coupons \u0026 Discounts, Bulk Discount, BOGO Coupons \u003c= 2.6.5 - Reflected Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8541",
        "datePublished": "2024-10-16T02:05:01.072Z",
        "dateReserved": "2024-09-06T18:28:20.243Z",
        "dateUpdated": "2026-04-08T16:45:55.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2090 (GCVE-0-2022-2090)

    Vulnerability from cvelistv5 – Published: 2022-07-17 10:35 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Woo Discount Rules < 2.4.2 - Reflected Cross-Site Scripting
    Summary
    The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin's discount rule page, leading to Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Discount Rules for WooCommerce Affected: 2.4.2 , < 2.4.2 (custom)
    Create a notification for this product.
    Credits
    ZhongFu Su(JrXnm) of WuHan University
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.180Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Discount Rules for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "2.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ZhongFu Su(JrXnm) of WuHan University"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin\u0027s discount rule page, leading to Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-17T10:35:45.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Woo Discount Rules \u003c 2.4.2 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2090",
              "STATE": "PUBLIC",
              "TITLE": "Woo Discount Rules \u003c 2.4.2 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Discount Rules for WooCommerce",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.4.2",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "ZhongFu Su(JrXnm) of WuHan University"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin\u0027s discount rule page, leading to Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/0201f365-7acb-4640-bd3f-7119432f4917"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2090",
        "datePublished": "2022-07-17T10:35:45.000Z",
        "dateReserved": "2022-06-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:44.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }