CVE-2025-66154

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove Couponer for Elementor couponer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Couponer for Elementor: from n/a through <= 1.1.7.

Analysis

Missing authorization in Merkulove Couponer for Elementor plugin versions up to 1.1.7 allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized access to sensitive coupon management functionality. The vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite being classified as an authentication bypass, suggesting limited practical attack surface or requirement for specific configuration conditions.

Technical Context

This vulnerability stems from broken access control (CWE-862), a failure to properly enforce authorization checks on protected resources. Couponer for Elementor is a WordPress plugin that integrates with the Elementor page builder to manage promotional coupons. The vulnerability indicates that the plugin fails to adequately verify user permissions before allowing access to certain administrative or coupon-related operations, potentially allowing unauthenticated users or users with insufficient privileges to perform restricted actions. This type of flaw is common in WordPress plugins that do not properly implement capability checks on AJAX endpoints or REST API routes.

Affected Products

Merkulove Couponer for Elementor WordPress plugin versions 1.1.7 and earlier are affected. The vulnerability was reported by Patchstack's audit team and documented in the Patchstack vulnerability database for the couponer-elementor plugin.

Remediation

Update Merkulove Couponer for Elementor to a patched version above 1.1.7 as soon as available from the official WordPress.org plugin repository or the vendor's website. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/couponer-elementor/vulnerability/wordpress-couponer-for-elementor-plugin-1-1-7-broken-access-control-vulnerability for detailed patch availability and version information. As an interim measure, restrict plugin functionality to authenticated users only and review user role assignments to ensure least-privilege access to coupon management features.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-66154 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy