CVE-2025-62884

MEDIUM
2025-10-27 [email protected]
WordPress PHP Authentication Bypass
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 5.3

DescriptionNVD

Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coupon Affiliates: from n/a through <= 7.2.0.

AnalysisAI

Missing authorization in RelyWP Coupon Affiliates plugin (versions up to 7.2.0) allows unauthenticated remote attackers to access restricted functionality and read sensitive data due to inadequate access control list (ACL) enforcement. The vulnerability requires no authentication and has low attack complexity, enabling attackers to bypass WordPress permission checks and retrieve coupon-related information not intended for public access.

Technical ContextAI

The vulnerability stems from a CWE-862 (Missing Authorization) flaw in the woo-coupon-usage plugin, a WordPress plugin for managing affiliate-driven coupon campaigns. The root cause is the failure to properly implement access control checks before exposing administrative or restricted functions via HTTP endpoints or AJAX handlers. WordPress plugins should validate user capabilities (e.g., current_user_can() for authenticated actions or capability checks for admin functions) before executing sensitive operations; this plugin does not perform adequate ACL enforcement, allowing any unauthenticated request to bypass intended permission boundaries.

Affected ProductsAI

RelyWP Coupon Affiliates (woo-coupon-usage) plugin for WordPress is affected in versions from an unspecified baseline through 7.2.0. The plugin is identified by CPE or vendor name as Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage. Affected WordPress sites running this plugin at version 7.2.0 or earlier are vulnerable. Detailed information and vulnerability tracking is available at https://patchstack.com/database/Wordpress/Plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-7-0-3-broken-access-control-vulnerability?_s_id=cve.

RemediationAI

Upgrade RelyWP Coupon Affiliates plugin to a patched version above 7.2.0. Site administrators should access WordPress plugin management, locate Coupon Affiliates, and apply the available update immediately. If a specific patched version number is not yet publicly available, check the plugin's GitHub repository or vendor advisory at Patchstack for release information. WordPress site owners who cannot immediately upgrade should disable the Coupon Affiliates plugin until patched and verify no unauthorized data access occurred via access logs. Refer to https://patchstack.com/database/Wordpress/Plugin/woo-coupon-usage/ for vendor advisory details and confirmed fix availability.

Share

CVE-2025-62884 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy