The WebToffee Smart Coupons for WooCommerce plugin contains a missing authorization flaw, identified as CWE‑862. When the plugin’s access controls are incorrectly applied, an attacker can use a WordPress account that normally lacks permission to create, edit, or delete discount coupons. This gives the attacker the ability to manipulate the store’s pricing structure without the owner’s consent.

The flaw is present in all releases of WebToffee Smart Coupons for WooCommerce up to and including version 2.2.3. Any WordPress site that has installed these versions of the plugin is vulnerable, regardless of the overall WordPress version or other plugins.

The CVSS score of 4.3 indicates low‑to‑moderate severity, and the EPSS score of less than 1% suggests that the likelihood of immediate exploitation is small. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated WordPress user, typically a non‑administrator, and manipulation of the plugin’s coupon‑management endpoints, which is inferred from the plugin’s access‑control flaw. While the financial impact is tied to the value of the coupons, the overall risk is moderate for sites that rely heavily on accurate discount calculations. The exact attack vector is not detailed in the CVE entry, so this assessment is based on typical WordPress plugin behavior.