CVE-2022-1563: 
WordPress vulnerability analysis and mitigation

The WPGraphQL WooCommerce WordPress plugin before version 0.12.4 contains a security vulnerability identified as CVE-2022-1563. The vulnerability allows unauthenticated attackers to enumerate a shop's coupon codes and values via GraphQL. This vulnerability was discovered and reported in 2022 (WPScan, NVD).

The vulnerability exists because the plugin only prevents users from leaking coupons using the 'coupons' aggregate field, but not the regular 'coupon' field. An unauthenticated attacker can make GraphQL calls to retrieve coupon codes by using the coupon ID format base64(shop_coupon:x), where x is a 2-3 digit integer that can be easily enumerated. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (WPScan).

The vulnerability allows unauthorized users to discover and enumerate valid coupon codes from the WooCommerce store. This could lead to unauthorized use of discount codes, potentially causing financial impact to the store owner (WPScan).

The vulnerability has been fixed in version 0.12.4 of the WPGraphQL WooCommerce plugin. Store owners are advised to update to this version or later to protect against unauthorized coupon code enumeration (WPScan).