CVE-2026-45438

Vulnerability

The Smart Coupons for WooCommerce plugin (from WebToffee) suffers from a missing authorization vulnerability affecting versions before 2.3.0. The plugin fails to properly enforce access control checks, allowing incorrectly configured security levels to be exploited. This issue affects the product from n/a (unknown initial version) up to, but not including, version 2.3.0 [1].

Exploitation

An attacker does not require authentication to exploit this vulnerability. By sending specially crafted requests, an unauthenticated or low-privileged user can bypass intended access controls. No special network position or user interaction is needed beyond being able to reach the WordPress site. The lack of proper capability or nonce checks in the underlying code enables the exploitation [1].

Impact

Successful exploitation allows an unprivileged attacker to perform actions reserved for higher-privileged roles, such as administrators. This can lead to unauthorized modification of coupon settings, discount misuse, or other sensitive operations within the WooCommerce environment. The vulnerability is classified as broken access control with a CVSS v3 base score of 7.5 (High) [1].

Mitigation

The vulnerability is fixed in version 2.3.0 of the Smart Coupons for WooCommerce plugin. Users should update to version 2.3.0 or later immediately. Patchstack users can enable auto-updates for vulnerable plugins. If unable to update, consider contacting the hosting provider or a web developer for assistance. No other workarounds are documented in the available references [1].