CVE-2024-7747

MEDIUM 6.5

Wallet for WooCommerce <= 1.5.6 - Authenticated (Subscriber+) Incorrect Conversion between Numeric Types

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The Wallet for WooCommerce plugin for WordPress is vulnerable to incorrect conversion between numeric types in all versions up to, and including, 1.5.6. This is due to a numerical logic flaw when transferring funds to another user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create funds during a transfer and distribute these funds to any number of other users or their own account, rendering products free. Attackers could also request to withdraw funds if the Wallet Withdrawal extension is used and the request is approved by an administrator.

CWE	CWE-681
Vendor	subratamal
Product	wallet for woocommerce
Published	Nov 28, 2024
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for subratamal wallet for woocommerce

Be the first to know when new medium vulnerabilities affecting subratamal wallet for woocommerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

subratamal / Wallet for WooCommerce

0 ≤ 1.5.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/fd8f3eb7-ac60-46c4-b41f-5d89e3133042?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/trunk/includes/class-woo-wallet-frontend.php#L407 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3145131/

Credits

Matthew Rollings