CVE-2024-7747: CWE-681 Incorrect Conversion between Numeric Types in subratamal Wallet for WooCommerce
The Wallet for WooCommerce plugin for WordPress is vulnerable to incorrect conversion between numeric types in all versions up to, and including, 1.5.6. This is due to a numerical logic flaw when transferring funds to another user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create funds during a transfer and distribute these funds to any number of other users or their own account, rendering products free. Attackers could also request to withdraw funds if the Wallet Withdrawal extension is used and the request is approved by an administrator.
AI Analysis
Technical Summary
The Wallet for WooCommerce plugin suffers from a numeric logic flaw (CWE-681) in its fund transfer functionality, affecting all versions up to 1.5.6. This incorrect conversion between numeric types allows authenticated users with low-level privileges to inflate wallet balances by creating funds during transfers. The vulnerability can be exploited to distribute these funds across multiple accounts or to the attacker's own account. Additionally, if the Wallet Withdrawal extension is installed and withdrawal requests are approved by an administrator, attackers can cash out these unauthorized funds. The CVSS 3.1 base score is 6.5, reflecting medium severity with network attack vector, low attack complexity, and privileges required at the Subscriber level.
Potential Impact
The vulnerability allows authenticated users with Subscriber-level or higher privileges to create and distribute unauthorized funds within the Wallet for WooCommerce plugin, effectively enabling financial fraud by making products free or allowing withdrawal of illegitimate funds if the Wallet Withdrawal extension is used and withdrawal requests are approved. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting Subscriber-level access or higher to trusted users only and carefully review withdrawal requests if the Wallet Withdrawal extension is in use. Monitoring for unusual fund transfers and limiting plugin usage may reduce risk.
CVE-2024-7747: CWE-681 Incorrect Conversion between Numeric Types in subratamal Wallet for WooCommerce
Description
The Wallet for WooCommerce plugin for WordPress is vulnerable to incorrect conversion between numeric types in all versions up to, and including, 1.5.6. This is due to a numerical logic flaw when transferring funds to another user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create funds during a transfer and distribute these funds to any number of other users or their own account, rendering products free. Attackers could also request to withdraw funds if the Wallet Withdrawal extension is used and the request is approved by an administrator.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Wallet for WooCommerce plugin suffers from a numeric logic flaw (CWE-681) in its fund transfer functionality, affecting all versions up to 1.5.6. This incorrect conversion between numeric types allows authenticated users with low-level privileges to inflate wallet balances by creating funds during transfers. The vulnerability can be exploited to distribute these funds across multiple accounts or to the attacker's own account. Additionally, if the Wallet Withdrawal extension is installed and withdrawal requests are approved by an administrator, attackers can cash out these unauthorized funds. The CVSS 3.1 base score is 6.5, reflecting medium severity with network attack vector, low attack complexity, and privileges required at the Subscriber level.
Potential Impact
The vulnerability allows authenticated users with Subscriber-level or higher privileges to create and distribute unauthorized funds within the Wallet for WooCommerce plugin, effectively enabling financial fraud by making products free or allowing withdrawal of illegitimate funds if the Wallet Withdrawal extension is used and withdrawal requests are approved. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting Subscriber-level access or higher to trusted users only and carefully review withdrawal requests if the Wallet Withdrawal extension is in use. Monitoring for unusual fund transfers and limiting plugin usage may reduce risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-08-13T15:22:37.543Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c1eb7ef31ef0b56023e
Added to database: 2/25/2026, 9:39:42 PM
Last enriched: 4/9/2026, 8:21:07 AM
Last updated: 4/12/2026, 1:40:54 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.