CVE-2025-54025

Vulnerability

Overview

The Coupon Affiliates plugin for WordPress (versions up to and including 6.4.0) suffers from a missing authorization vulnerability. The plugin fails to properly verify proper access control when processing requests to modify its settings, allowing any unauthenticated user to alter configuration options. This is classified as an incorrectly configured access control security level issue [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint without needing any authentication. No special privileges or network position are required; the attack can be performed remotely. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation allows an attacker to change plugin settings, such as coupon usage rules or affiliate configurations. This could lead to unauthorized coupon abuse, financial loss for store owners, or manipulation of affiliate tracking. The CVSS v3 score of 6.5 reflects the medium severity of this settings change vulnerability [1].

Mitigation

The vendor has released version 6.4.2 which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update is applied [1].