CVE-2025-66154

Vulnerability

Type and Root Cause

Missing authorization (broken access control) in the Couponer for Elementor plugin (versions up to 1.1.7) allows unauthenticated or low-privileged users to access functions that should be restricted to higher-privileged roles. The plugin does not properly validate access rights for critical actions.

Exploitation

Method

Attackers can exploit this vulnerability by sending specially crafted HTTP requests to the WordPress site. No authentication is required if the affected endpoint is exposed. The vulnerability is actively used in mass-exploit campaigns targeting thousands of websites, regardless of site size or popularity [1].

Potential

Impact

Successful exploitation could lead to unauthorized access to sensitive information, modification of plugin settings, or arbitrary actions within the context of the affected plugin. This could be a stepping stone for further compromise of the WordPress site.

Mitigation

The plugin vendor has released a fix. Users are strongly advised to update the Couponer for Elementor plugin to version 1.1.8 or later. If immediate updating is not possible, users should contact their hosting provider or web developer for assistance [1].