The Advanced Coupons for WooCommerce Coupons plugin contains an SQL injection flaw that permits an attacker to submit crafted input that is incorporated directly into a database query without sufficient escaping or parameterization. Based on the description, it is inferred that this flaw could enable the attacker to read, modify, or delete data in the WordPress database, potentially exposing user credentials and sensitive business information. The weakness is identified as CWE-89.

Any WordPress site that has the Advanced Coupons for WooCommerce Coupons plugin from its first release up through version 4.6.8 is vulnerable. The plugin, developed by Josh Kohlbach, is presumed to process user input on coupon and configuration pages, which provides a reachable attack surface for malicious actors.

The CVSS base score of 7.6 denotes a high severity risk, while the EPSS score of less than 1 % indicates that current exploitation activity is low but not impossible. The vulnerability is not listed in CISA's KEV catalog, yet its potential for data theft or unauthorized database manipulation remains substantial. Based on the description, it is inferred that exploitation would likely involve submitting malicious payloads through the plugin’s administrative interfaces, particularly if the database user runs with elevated privileges or if the application lacks additional input filtering.