A high-severity vulnerability has been identified in the "WPC Name Your Price for WooCommerce" WordPress plugin. This flaw allows an unauthenticated attacker to manipulate product prices during the checkout process, potentially enabling them to purchase items for a price of their choosing. Successful exploitation could lead to direct financial loss and inventory disruption for businesses using the affected plugin.

The vulnerability exists due to insufficient server-side validation of the price submitted by a user. An attacker can intercept the web traffic generated when adding a product to the cart and modify the price parameter to any desired value. The backend fails to verify if the submitted price is valid or meets a minimum threshold, processing the transaction with the attacker-supplied price, which could be as low as zero.

This vulnerability is rated as High severity with a CVSS score of 7.5. The primary business impact is direct financial loss resulting from fraudulent transactions where goods are sold for significantly less than their value. This can lead to revenue loss, inaccurate inventory records, and potential abuse of the e-commerce platform. Furthermore, public exploitation of this flaw could result in reputational damage and a loss of customer trust in the security and integrity of the online store.

Immediate Action: Immediately update the "WPC Name Your Price for WooCommerce" plugin to the latest version released by the vendor, which addresses this vulnerability. If the plugin's functionality is not essential, consider deactivating and removing it entirely to reduce the overall attack surface.

Proactive Monitoring: Monitor e-commerce transaction logs for anomalies, such as orders with unusually low or zero-dollar prices for products that should have a minimum cost. Review web server access logs for repeated or suspicious POST requests to the cart and checkout pages, particularly those with modified price parameters. Implement alerts for sales transactions that fall outside of expected price ranges.

Compensating Controls: If patching is not immediately feasible, implement a Web Application Firewall (WAF) with custom rules to inspect and block requests containing price parameters below a pre-defined minimum value. Alternatively, temporarily disable the plugin until a patch can be applied. Instituting a manual review process for all orders before fulfillment can also help catch fraudulent purchases.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the direct potential for financial loss, it is strongly recommended that organizations using the affected plugin apply the vendor-supplied patch immediately. Although this vulnerability is not currently listed on the CISA KEV catalog, its significant business impact makes it a high-priority target for remediation. Organizations should treat this as a critical vulnerability and prioritize its patching to prevent financial and reputational damage.