The vulnerability identified as CVE-2024-13316 affects the WordPress plugin 'Scratch & Win – Giveaways and Contests' by akashmalik, which is designed to boost subscribers, traffic, repeat visits, referrals, and sales through promotional giveaways and contests. The issue arises from a missing authorization check (CWE-862) in the apmswn_create_discount() function, which is responsible for creating discount coupons. This flaw allows unauthenticated attackers to invoke this function remotely without any capability verification, enabling them to generate arbitrary coupons. The vulnerability impacts all plugin versions up to and including 2.8.0. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity, as unauthorized coupon creation can disrupt marketing campaigns, cause financial losses, and damage brand reputation. There is no direct impact on confidentiality or availability. No known exploits have been reported in the wild to date. The vulnerability was publicly disclosed in February 2025, with no official patch links available at the time, indicating that users must implement interim mitigations. The flaw is particularly relevant for e-commerce and marketing websites relying on this plugin for promotional activities, as unauthorized coupons can lead to revenue loss and skewed analytics. The vulnerability highlights the importance of proper authorization checks in WordPress plugin development, especially for functions that affect business logic and financial incentives.

The primary impact of CVE-2024-13316 is on the integrity of promotional campaigns managed through the affected WordPress plugin. Unauthorized creation of discount coupons can lead to financial losses due to unintended discounts being applied, potentially eroding profit margins. It can also distort marketing metrics, making it difficult for organizations to assess the effectiveness of their campaigns accurately. Additionally, widespread abuse could damage the brand's reputation if customers exploit unauthorized coupons or if the business is perceived as having weak security controls. While confidentiality and availability are not directly impacted, the financial and reputational consequences can be significant for businesses relying on this plugin. The ease of exploitation without authentication and user interaction increases the risk of automated attacks targeting vulnerable sites. Organizations with high traffic e-commerce platforms or those heavily dependent on promotional giveaways are at greater risk of operational disruption and revenue impact.

1. Monitor official plugin channels for updates and apply patches promptly once available to ensure the authorization check is implemented. 2. Until an official patch is released, implement custom code to enforce capability checks on the apmswn_create_discount() function, restricting coupon creation to authenticated users with appropriate privileges. 3. Use Web Application Firewalls (WAFs) to detect and block suspicious requests targeting coupon creation endpoints, especially those originating from unauthenticated sources. 4. Audit existing coupons for unauthorized entries and revoke any suspicious or fraudulent coupons to mitigate ongoing abuse. 5. Limit the exposure of the plugin’s administrative or API endpoints by restricting access via IP whitelisting or VPNs where feasible. 6. Educate site administrators on the risks of using outdated plugins and encourage regular security reviews of third-party components. 7. Implement logging and alerting on coupon creation activities to detect anomalous patterns indicative of exploitation attempts. 8. Consider alternative plugins with robust security practices if timely patching is not possible.