CVE-2025-64358
📋 TL;DR
This CVE describes a missing authorization vulnerability in the WebToffee Smart Coupons for WooCommerce plugin that allows attackers to bypass access controls. It affects WordPress sites using this plugin from all versions up to and including 2.2.3. Attackers could potentially access or modify coupon functionality they shouldn't have permission to.
💻 Affected Systems
- WebToffee Smart Coupons for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create, modify, or delete coupons without authorization, potentially leading to financial loss through unauthorized discounts or coupon abuse.
Likely Case
Unauthorized users accessing coupon management functions they shouldn't have access to, potentially viewing or modifying existing coupons.
If Mitigated
With proper user role management and access controls, impact would be limited to authorized users only.
🎯 Exploit Status
Exploitation requires some level of WordPress user access. The vulnerability is in access control checks within the plugin's admin functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.2.3
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find 'Smart Coupons for WooCommerce'
4. Click 'Update Now' if update is available
5. Alternatively, download latest version from WordPress repository and replace plugin files
🔧 Temporary Workarounds
Temporary Plugin Deactivation
WordPressDisable the vulnerable plugin until patched
wp plugin deactivate wt-smart-coupons-for-woocommerce
🧯 If You Can't Patch
- Implement strict user role management and limit admin access to trusted users only
- Monitor coupon creation/modification logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. Look for 'Smart Coupons for WooCommerce' version 2.2.3 or earlier.Check Version:
wp plugin get wt-smart-coupons-for-woocommerce --field=versionVerify Fix Applied:
After updating, verify plugin version shows higher than 2.2.3 in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unauthorized coupon creation/modification attempts
- User role escalation attempts in WordPress logs
- Admin actions from non-admin users
Network Indicators:
- Unusual admin-ajax.php requests related to coupon functions
- POST requests to coupon management endpoints from unauthorized IPs
SIEM Query:
source="wordpress.log" AND ("coupon" OR "smart-coupon") AND ("unauthorized" OR "permission denied")