CVE-2025-62884

Vulnerability

Overview

The Coupon Affiliates plugin for WordPress (woo-coupon-usage) versions up to and including 7.2.0 suffers from a missing authorization vulnerability. This means that certain functionality intended for privileged users is not properly protected by access control lists (ACLs), allowing unprivileged users to access it [1].

Exploitation

An attacker, either unauthenticated or with low-level privileges, can exploit this flaw by sending crafted requests to the vulnerable endpoints. No special authentication or network position is required beyond being able to interact with the WordPress site [1]. The missing authorization checks make it straightforward to invoke administrative actions without proper permissions.

Impact

Successful exploitation allows the attacker to perform actions normally reserved for higher-privileged roles, such as managing coupon data or affecting affiliate settings. This could lead to unauthorized coupon creation, modification, or disclosure, potentially enabling fraudulent discounts or revenue leakage [1].

Mitigation

The vulnerability is addressed in version 7.2.1 of the plugin. Users are strongly advised to update immediately. For sites that cannot be updated, implementing a web application firewall or restricting access to the vulnerable plugin's endpoints may temporarily reduce risk, but updating is the only complete fix [1].