MyRewards WooCommerce Plugin Missing Authorization Vulnerability Allowing Arbitrary Loyalty Rule Modification

A missing authorization vulnerability has been identified in the MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress, affecting all versions through 5.6.0. The vulnerability arises because the plugin's 'ajax' function does not properly verify user authorization for performing actions. This flaw enables authenticated attackers with subscriber-level access or higher to modify, add, or delete loyalty program earning rules, including the ability to manipulate point multipliers to arbitrary values.

Impact

Exploitation of this vulnerability allows for unauthorized modification of loyalty program earning rules, including point multipliers, by authenticated users with subscriber-level access or higher.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or above can send a request to the 'ajax' function of the MyRewards WooCommerce plugin. The request must include the 'id', 'method', and 'line' parameters. The 'method' parameter can be set to 'put' or 'del', depending on whether the user wants to modify or delete a loyalty rule. The 'line' parameter should contain a base64-encoded JSON string representing the loyalty rule data, including any desired point multiplier changes.