CVE-2025-14070
📋 TL;DR
The Reviewify WordPress plugin has an authorization vulnerability that allows authenticated users with Contributor-level access or higher to create arbitrary WooCommerce discount coupons. This can lead to financial losses for online stores by enabling attackers to generate fraudulent discounts. All WordPress sites using Reviewify version 1.0.6 or earlier are affected.
💻 Affected Systems
- WordPress Reviewify plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create unlimited discount coupons with 100% discounts, leading to complete revenue loss and potential store bankruptcy.
Likely Case
Attackers create moderate-value discount coupons for personal use or resale, causing direct financial losses and inventory depletion.
If Mitigated
With proper user role management and monitoring, impact is limited to minor coupon abuse by trusted users.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. Public exploit code is available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/review-for-discount/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Reviewify plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version 1.0.7+ from WordPress repository.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or block the vulnerable 'send_test_email' AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_send_test_email', 'xswcrd_send_test_email_callback');
Restrict user roles
allTemporarily remove coupon creation capabilities from Contributor and Author roles
Use WordPress role editor plugin or add: remove_cap('shop_manager', 'manage_woocommerce'); to affected roles
🧯 If You Can't Patch
- Deactivate the Reviewify plugin immediately
- Implement strict monitoring of coupon creation and usage in WooCommerce
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Reviewify version. If version is 1.0.6 or earlier, you are vulnerable.Check Version:
wp plugin list --name=reviewify --field=version (if WP-CLI installed)Verify Fix Applied:
After update, verify plugin version shows 1.0.7 or later in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual coupon creation events from non-admin users
- Multiple coupon creations in short timeframes
- Coupons with unusual discount values or codes
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=send_test_email
- Unusual coupon redemption patterns
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "send_test_email" AND user_role!="administrator"🔗 References
- https://cwe.mitre.org/data/definitions/862.html
- https://plugins.trac.wordpress.org/browser/review-for-discount/tags/1.0.6/admin/class-xswcrd-review-discounts-admin.php#L425
- https://plugins.trac.wordpress.org/browser/review-for-discount/trunk/admin/class-xswcrd-review-discounts-admin.php#L425
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9db8756a-a177-4d39-b169-dc874cac2b3b?source=cve
