CVE-2025-59567

Vulnerability

Overview

The Coupon Affiliates plugin for WordPress (versions up to and including 6.8.0) contains a missing authorization vulnerability. The root cause is an incorrectly configured access control security level, which fails to properly verify user permissions before allowing certain actions. This is classified as a Broken Access Control issue, where the plugin does not enforce adequate authorization checks on sensitive functions [1].

Exploitation

This vulnerability can be exploited without authentication, as the access control flaw allows an unauthenticated attacker to perform actions that should require higher privileges. The attack surface is broad because the plugin is widely used, like many WordPress plugins, is widely deployed. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

An attacker exploiting this missing authorization can gain unauthorized access to functionality that should be restricted. This could lead to unauthorized modification of coupon affiliate data, misuse of affiliate features, or other actions that compromise the integrity of the site's coupon and affiliate system. The CVSS v3 score of 5.5 (Medium) reflects the potential for significant impact, though the vendor notes a low severity in the WordPress context [1].

Mitigation

The vulnerability has been patched in version 6.8.1 of the Coupon Affiliates plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].