WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure

An unauthenticated attacker sends crafted GraphQL queries to the WooCommerce GraphQL endpoint to enumerate coupon codes and their discount values [ref_id=1]. The plugin prior to version 0.12.4 does not enforce any authentication or capability checks on the coupon-related GraphQL resolvers, allowing anyone with network access to the WordPress site to list all active coupons [CWE-284]. No special privileges or prior knowledge are required beyond the ability to reach the GraphQL API endpoint.

The advisory does not specify exact file paths or function names. The vulnerability exists in the GraphQL schema resolvers of the WPGraphQL WooCommerce plugin (slug: wp-graphql-woocommerce) that handle coupon-related queries [ref_id=1].

The advisory states the vulnerability is fixed in version 0.12.4 of the WPGraphQL WooCommerce plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds access control checks to the GraphQL resolvers that expose coupon data, ensuring only authenticated users with appropriate capabilities (e.g., shop managers) can query coupon codes and values. Users should update to version 0.12.4 or later.

The advisory's proof of concept section is empty [ref_id=1]. However, an attacker would send unauthenticated GraphQL queries to the WooCommerce GraphQL endpoint requesting coupon fields (e.g., coupon code, amount, discount type) to enumerate all available coupons and their values.