If you run a WooCommerce shop on WordPress, chances are you love giving your shoppers a little nudge — maybe in the form of popups, smart bars, or slide-ins advertising deals. Plugins like WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit make this easy. But in February 2024, a serious bug (tracked as CVE-2024-1436) was found in this plugin that could potentially leak sensitive information, putting both site owners and users at risk.
In this post, we’ll break down CVE-2024-1436 in plain English, look into how attackers can abuse it, share sample exploit code, link you to more technical details, and provide practical steps on how you can stay protected.
CVE-2024-1436 is a vulnerability officially described as
> Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wiloke WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit.
> This issue affects WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit: from n/a through 1..9.
In simple terms:
Attackers can access private or sensitive information stored by this plugin, even if they’re not supposed to.
Get hold of admin configuration details, maybe even hinting at API keys or admin email addresses
That’s bad for your business reputation and could put your customers at risk of spam or worse.
Who is Vulnerable?
If your site uses
WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
with a version from the very start (n/a) up to 1..9,
you are at risk.
*Check your plugin version from the WordPress dashboard > Plugins.*
How Does the Attack Work?
Based on public disclosure and code review, the issue is with a *REST API endpoint* the plugin creates, which allows anyone (not just admins!) to fetch sensitive settings and data.
Here’s a simplified look at what happens
// Sample pseudo-code from the plugin vulnerability:
add_action('rest_api_init', function () {
register_rest_route('wiloke/v1', '/get_coupon', [
'methods' => 'GET',
'callback' => 'wiloke_get_coupon_callback',
// 'permission_callback' => '__return_true', // <-- No security check!
]);
});
function wiloke_get_coupon_callback(WP_REST_Request $request) {
// Sends back sensitive plugin settings, coupon codes, or more
return get_option('wiloke_coupon_popup_settings');
}
The lack of a proper permission_callback means anyone (even bots or attackers) can just call this endpoint and see the data.
`
https://victim.com/wp-json/wiloke/v1/get_coupon
Admin or store configuration
*Here’s a quick curl command an attacker might use:*
curl https://victim.com/wp-json/wiloke/v1/get_coupon
If you’re running the vulnerable plugin, you might see a big blob of private data!
Some possible risks include
- Coupon abuse: Shoppers or bots can grab secret discount codes or “one time use” codes and use them repeatedly.
References & Further Reading
- CVE-2024-1436 at NVD
- Patchstack vulnerability listing
- WPScan entry
How to Protect Your Store Right Now
1. Update immediately:
The plugin team fixed this vulnerability in version 1.1..
- Go to WordPress > Plugins and *update WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit to 1.1. or newer.*
2. Check for data breach:
Consider rotating any secret codes that were active before you updated.
3. Lock down REST API:
- Use a plugin like WPCode to block REST API endpoints you don’t need.
Use firewall plugins to detect unusual API requests.
4. Audit your plugins regularly:
Conclusion
CVE-2024-1436 is a reminder that even small marketing plugins can have big security holes. If you use WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit, upgrade *now* to version 1.1. or newer.
Keep your store safe — don’t let bad code turn your good intentions into a data leak!
*Was this helpful? If you have questions or want a detailed plugin audit, comment below or get in touch. Stay secure out there!*
Timeline
Published on: 02/26/2024 16:27:52 UTC
Last modified on: 02/26/2024 16:32:25 UTC