WordPress Plugin Vulnerabilities

Coupon Affiliates < 6.8.1 - Missing Authorization

Description

The Coupon Affiliates plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcusage_generate_registration_page() function in versions up to, and including, 6.8.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate a registration page.

Affects Plugins

Plugin icon
woo-coupon-usage
Fixed in 6.8.1

References

CVE
CVE-2025-59567
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b6349c5-a5da-4b8b-b60a-c1176a06e645

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Legion Hunter
Verified
No
WPVDB ID
73d49f74-3bb3-4ba1-95d0-18663a8daaa9

Timeline

Publicly Published
2025-09-22 (about 8 months ago)
Added
2025-09-26 (about 7 months ago)
Last Updated
2025-09-26 (about 7 months ago)

Other

Published
Title
Published
2026-05-12
Title
EventPrime – Events Calendar, Bookings and Tickets < 4.3.2.1 - Missing Authorization
Published
2026-02-03
Title
Magic Import Document Extractor < 1.0.6 - Missing Authorization to Unauthenticated Plugin License Status Modification
Published
2025-06-04
Title
Icegram Collect – Easy Form, Lead Collection and Subscription plugin < 1.3.19 - Missing Authorization
Published
2023-09-05
Title
Carousel Slider < 2.2.3 - Missing Authorization
Published
2024-08-26
Title
Droip < 2.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Settings Change