Description
Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0.
Published: 2026-05-25
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that allows an attacker to perform privileged actions on the Smart Coupons for WooCommerce plugin. Because access controls are incorrectly configured, an unintended user can create, modify, or delete coupons, or otherwise manipulate coupon data, potentially affecting the store’s revenue, customer trust, and financial operations. The weakness is a direct example of flawed permission enforcement and is listed as CWE‑862.

Affected Systems

The issue affects all installations of the WebToffee Smart Coupons for WooCommerce plugin running any version earlier than 2.3.0. Any WordPress site using this plugin and running those versions is exposed.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as high severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, so there is no public record of exploitation yet. The likely attack vector is through web API or administrative interfaces that do not perform correct authorization checks. An authenticated user with insufficient privileges could exploit the flaw, or an unauthenticated attacker may target public endpoints if they are exposed. Given the high severity and the absence of a publicly documented exploit, the risk remains significant for affected sites until the vulnerability is patched.

Generated by OpenCVE AI on May 25, 2026 at 23:22 UTC.

Remediation

Vendor Solution

Update the WordPress Smart Coupons for WooCommerce Plugin to the latest available version (at least 2.3.0).

OpenCVE Recommended Actions

  • Update the Smart Coupons for WooCommerce plugin to version 2.3.0 or later.
  • Ensure Role-Based Access Control settings for coupon management are limited to administrators or properly authorized editors; verify that the plugin’s internal permission checks align with these settings.
  • Restrict or disable exposure of plugin‑related REST API endpoints until the authoritative update has been applied, and monitor access logs for suspicious coupon‑related activity.

Generated by OpenCVE AI on May 25, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee smart Coupons For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Webtoffee
Webtoffee smart Coupons For Woocommerce
Wordpress
Wordpress wordpress

Mon, 25 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0.
Title WordPress Smart Coupons for WooCommerce plugin < 2.3.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Webtoffee Smart Coupons For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-25T22:18:18.582Z

Reserved: 2026-05-12T13:08:41.670Z

Link: CVE-2026-45438

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T01:00:11Z

Weaknesses