The CouponXxL WordPress theme contains an Incorrect Privilege Assignment flaw that permits a user with ability to modify theme settings to elevate privileges and gain administrative control over the site. This flaw is a classic Missing Authorization issue (CWE‑266), allowing attackers to create or modify user accounts, change critical settings, or execute arbitrary code at higher privilege levels. The resulting privilege escalation can lead to full site takeover, data exfiltration, or injection of malicious content.

Versions of the pebas CouponXxL theme from its earliest release up through 3.0.0 are affected. WordPress sites that have installed this theme prior to these releases are at risk. No specific WordPress core version is mentioned, so any WordPress installation using CouponXxL 3.0.0 or older may be vulnerable.

The CVSS score of 9.8 classifies this issue as Critical. The EPSS score of less than 1% indicates that, at the time of this analysis, exploit activity in the wild is expected to be very low. It is not yet listed in the CISA KEV catalog, so no known wide‑scale exploitation has been reported. Nonetheless, the severity and the obvious privilege escalation potential warrant immediate remediation, as an attacker could exploit this weakness when they obtain any authenticated access to the WordPress back‑end or theme management interface.