CVE-2025-39489 - Vulnerability Details

- WordPress CouponXL theme <= 4.5.0 - Privilege Escalation Vulnerability

Description

Incorrect Privilege Assignment vulnerability in pebas CouponXL couponxl allows Privilege Escalation.This issue affects CouponXL: from n/a through <= 4.5.0.

Published: 2025-05-23

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an incorrect privilege assignment in the pebas CouponXL WordPress theme. It allows a legitimate user to elevate their privileges to an administrative level, compromising confidentiality, integrity, and availability of the site. The weakness corresponds to CWE-266, which focuses on unauthorized privilege escalation.

Affected Systems

The issue affects all versions of the pebas CouponXL theme from the earliest release through version 4.5.0. The CVE description explicitly states that CouponXL couponxl is vulnerable up to and including 4.5.0. This applies to any WordPress installation that has that theme installed, regardless of the current user role at the time of installation.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity level. However, the EPSS score of less than 1% suggests that real‑world exploitation is currently very unlikely, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the attack requires a valid authenticated account that can interact with the theme’s back‑end functionality; the attacker could then leverage the incorrect privilege assignment to gain higher level permissions. The exploit path is therefore limited to environments where the theme is active and users can trigger the affected functionality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pebas

CouponXL

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.5.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the pebas CouponXL theme to any release newer than 4.5.0. The patch is available as indicated by the advisory on PatchStack.
If an immediate upgrade is not possible, deactivate or remove the CouponXL theme to eliminate the attack surface.
Audit your site’s user role configuration and ensure that no unauthorized capabilities are assigned via the theme or other plugins.

Generated by OpenCVE AI on April 30, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-27959	Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation. This issue affects CouponXL: from n/a through 4.5.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00347.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/couponxl/vulnerability/wordpress-couponxl-4-5-0-privilege-escalation-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation. This issue affects CouponXL: from n/a through 4.5.0.	Incorrect Privilege Assignment vulnerability in pebas CouponXL couponxl allows Privilege Escalation.This issue affects CouponXL: from n/a through <= 4.5.0.
Title	WordPress CouponXL <= 4.5.0 - Privilege Escalation Vulnerability	WordPress CouponXL theme <= 4.5.0 - Privilege Escalation Vulnerability
References	https://patchstack.com/database/wordpress/theme/couponxl/vulnerability/wordpress-couponxl-4-5-0-privilege-escalation-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Theme/couponxl/vulnerability/wordpress-couponxl-4-5-0-privilege-escalation-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 23 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 May 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation. This issue affects CouponXL: from n/a through 4.5.0.
Title		WordPress CouponXL <= 4.5.0 - Privilege Escalation Vulnerability
Weaknesses		CWE-266
References		https://patchstack.com/database/wordpress/theme/couponxl/vulnerability/wordpress-couponxl-4-5-0-privilege-escalation-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-23T12:43:54.956Z

Updated: 2026-04-28T16:12:32.624Z

Reserved: 2025-04-16T06:23:58.700Z

Link: CVE-2025-39489

Vulnrichment

Updated: 2025-05-23T15:00:14.236Z

NVD

Status : Deferred

Published: 2025-05-23T13:15:30.757

Modified: 2026-04-23T15:29:39.620

Link: CVE-2025-39489

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses

CWE-266

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object