CVE-2024-12204 is a missing authorization vulnerability (CWE-862) found in the WordPress plugin 'Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups' developed by galdub. The vulnerability exists in the class-cx-rest.php file, where several functions lack proper capability checks, allowing authenticated users with minimal privileges (Subscriber role or higher) to perform unauthorized operations. These operations include creating coupons with 100% discounts, deleting posts and leads, and modifying coupon statuses. The absence of authorization checks means that the plugin's REST API endpoints do not verify whether the requesting user has the appropriate permissions before executing sensitive actions. This can lead to privilege escalation within the WordPress environment, enabling attackers to manipulate e-commerce promotions, disrupt content, and interfere with lead management. The vulnerability affects all plugin versions up to 1.3.5. The CVSS 3.1 base score is 5.4 (medium), with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality and integrity but not availability. No patches or exploits are currently publicly known, but the risk remains significant for sites using this plugin without mitigation.

The vulnerability allows low-privilege authenticated users (Subscribers or higher) to escalate their privileges by creating free coupons, deleting content, and altering coupon statuses. This can lead to financial losses through unauthorized discounts, reputational damage from content deletion, and disruption of marketing and sales operations. Attackers could exploit this to undermine the integrity of promotional campaigns, cause customer confusion, and potentially facilitate further attacks by manipulating site content or leads. Organizations relying on WooCommerce and this plugin for e-commerce functionality are particularly at risk. The impact is primarily on confidentiality and integrity of business-critical data and operations, with no direct availability impact. The ease of exploitation by authenticated users makes it a moderate risk, especially in environments with many low-privilege users or where account creation is not tightly controlled.

1. Immediately update the Coupon X plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict user roles that can authenticate on the WordPress site, especially limiting Subscriber-level accounts or enforcing stricter user registration policies. 3. Implement Web Application Firewall (WAF) rules to monitor and block suspicious REST API calls targeting the vulnerable endpoints. 4. Review and harden WordPress user role permissions to minimize unnecessary privileges. 5. Monitor logs for unusual coupon creation or deletion activities. 6. Consider disabling or removing the plugin if it is not essential to reduce attack surface. 7. Conduct regular security audits of plugins and their REST API endpoints to detect missing authorization checks. 8. Educate site administrators on the risks of low-privilege user accounts and enforce strong authentication controls.