CVE-2024-11423 is a missing authorization vulnerability (CWE-862) in the Ultimate Gift Cards for WooCommerce Pro plugin developed by WP Swings. The flaw exists in several REST API endpoints, including /wp-json/gifting/recharge-giftcard, where the plugin fails to perform proper capability checks before allowing modifications to gift card balances. This lack of authorization verification enables unauthenticated attackers to recharge gift cards or reduce their balances without making any payment or having valid credentials. The vulnerability affects all versions up to 3.0.6 inclusive. The CVSS 3.1 base score is 7.5 (high), reflecting the ease of remote exploitation without authentication or user interaction, and the high impact on data integrity. The vulnerability compromises the integrity of gift card balances, allowing attackers to fraudulently increase or decrease balances, potentially causing financial losses and undermining trust in the e-commerce platform. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is particularly dangerous because it targets a financial component integrated into WooCommerce, a widely used e-commerce platform on WordPress, which powers a significant portion of online stores globally.

The primary impact of CVE-2024-11423 is on the integrity of gift card balances managed by the vulnerable plugin. Attackers can fraudulently increase gift card balances without payment, enabling unauthorized purchases or financial theft. Conversely, attackers can also reduce balances, potentially causing customer disputes and loss of revenue. This undermines customer trust and can lead to financial losses for merchants. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to any WooCommerce store using this plugin. The availability and confidentiality of systems are not directly impacted, but the financial integrity and business reputation are at high risk. Organizations relying on this plugin for gift card management face potential fraud, chargebacks, and operational disruptions. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability's characteristics make it a likely target for attackers once widely known.

1. Immediate mitigation involves disabling or restricting access to the vulnerable REST API endpoints if possible, using web application firewalls (WAFs) or custom rules to block unauthorized requests to /wp-json/gifting/recharge-giftcard and related endpoints. 2. Monitor and audit gift card transactions closely for unusual activity, such as unexpected balance increases or decreases. 3. Apply principle of least privilege by restricting plugin capabilities and user roles that can manage gift cards. 4. Contact the plugin vendor (WP Swings) for official patches or updates and apply them promptly once available. 5. If patching is not immediately possible, consider temporarily disabling the Gift Cards for WooCommerce Pro plugin or replacing it with a secure alternative. 6. Implement network-level protections such as IP whitelisting or VPN access for administrative API calls if feasible. 7. Educate staff and customers about potential fraud risks and establish incident response plans for gift card abuse. 8. Regularly update WordPress core, WooCommerce, and all plugins to minimize exposure to known vulnerabilities.