Description
Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coupon Affiliates: from n/a through <= 7.2.0.
Published: 2025-10-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Coupon Affiliates WordPress plugin that allows attackers to perform functions that should be restricted to privileged users. Documented as CWE‑862, the flaw enables unauthorized users to access or modify coupon data and other privileged features, potentially compromising the confidentiality and integrity of promotional code management.

Affected Systems

The issue affects the Coupon Affiliates plugin from any version up to 7.2.0, as released by Elliot Sowersby / RelyWP. WordPress sites that have installed or upgraded the plugin within that version range are impacted, and earlier releases remain vulnerable due to the missing access‑control checks.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA KEV. Attackers would need network or local access to the WordPress site and could exploit the bug by sending crafted requests to the plugin endpoints. Because the flaw originates from absent ACL checks, any authenticated user able to reach the endpoints could abuse it. Although the exploitation likelihood is low, the medium severity warrants prompt attention.

Generated by OpenCVE AI on April 29, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Coupon Affiliates plugin to a version newer than 7.2.0, which corrects the missing authorization checks.
  • Regenerate or revoke any coupon or affiliate credentials that were in use before the update, and ensure that only trusted user roles retain access to coupon‑management features.
  • Disable or uninstall the plugin if an immediate update is not available, to eliminate the attack surface until a patch is installed.

Generated by OpenCVE AI on April 29, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coupon Affiliates: from n/a through <= 7.0.3. Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coupon Affiliates: from n/a through <= 7.2.0.
Title WordPress Coupon Affiliates plugin <= 7.0.3 - Broken Access Control vulnerability WordPress Coupon Affiliates plugin <= 7.2.0 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Relywp
Relywp coupon Affiliates
Wordpress
Wordpress wordpress
Vendors & Products Relywp
Relywp coupon Affiliates
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coupon Affiliates: from n/a through <= 7.0.3.
Title WordPress Coupon Affiliates plugin <= 7.0.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Relywp Coupon Affiliates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:04.926Z

Reserved: 2025-10-24T14:24:07.765Z

Link: CVE-2025-62884

cve-icon Vulnrichment

Updated: 2025-10-27T15:24:09.695Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:47.220

Modified: 2026-04-27T17:16:34.163

Link: CVE-2025-62884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses