CVE-2024-13316: 
WordPress vulnerability analysis and mitigation

The Scratch & Win – Giveaways and Contests WordPress plugin (versions up to 2.8.0) contains a vulnerability identified as CVE-2024-13316. The vulnerability stems from a missing capability check on the apmswncreatediscount() function, which allows unauthenticated attackers to create coupons without proper authorization (NVD).

The vulnerability is classified as a Missing Authorization (CWE-862) issue. According to the CVSS 3.1 scoring system, it has received a Medium severity score of 5.3 with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and has a limited impact on integrity (NVD).

The primary impact of this vulnerability is the potential for unauthorized coupon creation. Unauthenticated attackers can exploit this vulnerability to create coupons within the WordPress system, potentially affecting the business logic and promotional strategies of the affected websites (NVD).

Website administrators should update their Scratch & Win – Giveaways and Contests plugin to a version newer than 2.8.0 to address this vulnerability. The issue has been patched in subsequent releases (NVD).