WordPress Plugin Vulnerabilities

Coupon Affiliates < 6.4.2 - Missing Authorization to Unauthenticated Settings Update

Description

The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.4.1. This makes it possible for unauthenticated attackers to update the plugin's settings.

Affects Plugins

Plugin icon
woo-coupon-usage
Fixed in 6.4.2

References

CVE
CVE-2025-54025
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/28f22a48-7445-4104-9b76-60520e7a290e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Denver Jackson
Verified
No
WPVDB ID
7ce3e6f4-fb71-4445-a609-35c9c6f1b7b5

Timeline

Publicly Published
2025-08-06 (about 9 months ago)
Added
2025-08-11 (about 9 months ago)
Last Updated
2025-08-11 (about 9 months ago)

Other

Published
Title
Published
2023-11-06
Title
Seraphinite Accelerator < 2.20.32 - Unauthorised Settings Reset/Import
Published
2026-01-08
Title
Booking for Appointments and Events Calendar – Amelia < 2.0.0 - Missing Authorization to Unauthenticated Multiple AJAX Actions
Published
2025-02-14
Title
Analytify < 5.5.1 - Missing Authorization
Published
2026-04-22
Title
ExactMetrics < 9.1.3 - Editor+ Arbitrary Plugin Installation/Activation
Published
2026-03-17
Title
Post SMTP < 3.9.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite