Skip to main content

CVE-2025-66154

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Couponer for Elementor couponer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Couponer for Elementor: from n/a through <= 1.1.7.

AnalysisAI

Missing authorization in Merkulove Couponer for Elementor plugin versions up to 1.1.7 allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized access to sensitive coupon management functionality. The vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite being classified as an authentication bypass, suggesting limited practical attack surface or requirement for specific configuration conditions.

Technical ContextAI

This vulnerability stems from broken access control (CWE-862), a failure to properly enforce authorization checks on protected resources. Couponer for Elementor is a WordPress plugin that integrates with the Elementor page builder to manage promotional coupons. The vulnerability indicates that the plugin fails to adequately verify user permissions before allowing access to certain administrative or coupon-related operations, potentially allowing unauthenticated users or users with insufficient privileges to perform restricted actions. This type of flaw is common in WordPress plugins that do not properly implement capability checks on AJAX endpoints or REST API routes.

Affected ProductsAI

Merkulove Couponer for Elementor WordPress plugin versions 1.1.7 and earlier are affected. The vulnerability was reported by Patchstack's audit team and documented in the Patchstack vulnerability database for the couponer-elementor plugin.

RemediationAI

Update Merkulove Couponer for Elementor to a patched version above 1.1.7 as soon as available from the official WordPress.org plugin repository or the vendor's website. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/couponer-elementor/vulnerability/wordpress-couponer-for-elementor-plugin-1-1-7-broken-access-control-vulnerability for detailed patch availability and version information. As an interim measure, restrict plugin functionality to authenticated users only and review user role assignments to ensure least-privilege access to coupon management features.

Share

CVE-2025-66154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy