Executive Summary

The vulnerability in the WPC Name Your Price for WooCommerce plugin allows unauthenticated attackers to purchase products at prices lower than intended. This happens because the plugin does not properly disable the ability to name a custom price when this feature is disabled for a product. Essentially, attackers can bypass restrictions and set unauthorized custom prices, leading to unauthorized price alterations. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to financial loss as attackers can buy products at prices less than they should be able to pay. It undermines the pricing integrity of the WooCommerce store using the affected plugin, potentially causing revenue loss and affecting business operations. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the WPC Name Your Price plugin version is 2.1.9 or earlier, as these versions are vulnerable. You can verify the plugin version installed on your WordPress site by running the following WP-CLI command: `wp plugin list --status=active | grep wpc-name-your-price`. Additionally, monitoring HTTP requests to the WooCommerce product purchase endpoints for unusual price parameters or attempts to submit custom prices when the feature is disabled may help detect exploitation attempts. However, no specific detection commands or signatures are provided in the available resources. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the WPC Name Your Price plugin to version 2.2.0 or later, as this version contains the security fix addressing the vulnerability. The update improves validation of product eligibility for custom pricing, sanitizes user input to prevent negative or invalid prices, and enforces product status checks to disable unauthorized price naming. Until the update is applied, consider disabling the plugin or restricting access to the custom price feature to trusted users only. [2]

Useful 0 Not Useful 0