Bonanza – WooCommerce Free Gifts Lite <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Opt In Success

July 29, 2025 invoker category_cve

CVE Details

Basic Information

Title Bonanza – WooCommerce Free Gifts Lite <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Opt In Success
Type cve
Published 2025-07-29T09:23:45.239Z
Modified 2025-07-29T09:23:45.239Z

Product Information

Vendor amans2k
Product Bonanza – WooCommerce Free Gifts Lite
Version *

CVSS Information

Base Score 4.3 (MEDIUM)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Products

  • amans2k Bonanza – WooCommerce Free Gifts Lite *

Additional Information

CWE List CWE-862
Source Wordfence

Description

The Bonanza – WooCommerce Free Gifts Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the xlo_optin_call() function in all versions up to, and including, 1.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set the opt in status to success.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.