CVE-2024-7747

Name of the Vulnerable Software and Affected Versions Wallet for WooCommerce plugin for WordPress versions up to, and including, 1.5.6

Description The issue arises from a numerical logic flaw when transferring funds to another user, allowing authenticated attackers with Subscriber-level access and above to create funds during a transfer. This enables them to distribute these funds to any number of other users or their own account, effectively making products free. Additionally, if the Wallet Withdrawal extension is used, attackers could request to withdraw funds, which would require approval from an administrator.

Recommendations For versions up to, and including, 1.5.6, update to a version higher than 1.5.6 to resolve the issue. As a temporary workaround, consider restricting access to the fund transfer feature until a patch is available. Avoid using the Wallet Withdrawal extension until the issue is resolved, or ensure that all withdrawal requests are thoroughly reviewed by administrators before approval.