CVE-2025-64241

The WP Coupons and Deals plugin for WordPress, versions up to and including 3.2.4, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing users to execute actions intended for higher-privileged roles [1]. The vulnerability is classified as a broken access control issue, as there is a lack of necessary permission checks in certain functions.

Exploitation does not require authentication, making it accessible to unauthenticated attackers. The attack vector is network-based, and the complexity is low. No user interaction is needed. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites indiscriminately [1].

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying or accessing sensitive data, depending on the affected functionality. The CVSS score of 4.3 (Medium) reflects the potential for limited impact, but the ease of exploitation increases the risk.

The vendor has addressed the issue in version 3.2.5. Users are strongly advised to update immediately. If unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].