The vulnerability is a Missing Authorization flaw that allows users to exploit incorrectly configured access control security levels in the Advanced Coupons for WooCommerce Coupons plugin. Key detail from vendor description: "Missing Authorization vulnerability ... allows Exploiting Incorrectly Configured Access Control Security Levels." The weakness is identified as CWE-862. This flaw permits unauthenticated or low‑privileged users to bypass intended permission checks, potentially accessing or modifying coupon data and related administrative functions within the plugin.

Affected vendor: Josh Kohlbach. Product: Advanced Coupons for WooCommerce Coupons plugin. Version range: all versions from n/a through <= 4.7.1. No specific patch versions are listed in the input.

The CVSS score of 4.3 indicates a moderate severity vulnerability, while an EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could attempt to access the plugin’s admin interface or API endpoints via standard WordPress URLs to obtain unauthorized coupon management capabilities. The risk primarily involves granting elevated access to coupon creation, editing or deletion which could have financial implications.