Skip to main content

Coupon Affiliates CVE-2026-49068

| EUVDEUVD-2026-36875 HIGH
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-15 Patchstack GHSA-2fch-5g6g-5j6q
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Remote unauthenticated HTTP request to a WordPress plugin endpoint leaks subscriber data; no integrity or availability impact, so C:H only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:38 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in Coupon Affiliates <= 7.8.1 versions.

AnalysisAI

Sensitive data exposure in the Coupon Affiliates WordPress plugin (versions 7.8.1 and earlier) allows remote unauthenticated attackers to retrieve confidential subscriber information over the network without any user interaction. The flaw, reported by Patchstack and classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 score reflecting high confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis.

Technical ContextAI

Coupon Affiliates (formerly woo-coupon-usage) is a WooCommerce extension by RelyWP that enables WordPress site owners to manage affiliate-driven coupon campaigns, tracking referrals and commissions tied to subscriber accounts. The affected CPE cpe:2.3:a:relywp:coupon_affiliates covers all versions up through 7.8.1. CWE-497 indicates the plugin exposes sensitive subscriber data - likely through an under-protected REST endpoint, AJAX action, or admin-ajax handler - that should have been restricted to authorized roles. In WordPress plugin ecosystems, this class of bug typically stems from missing capability checks (current_user_can) or nonce validation on endpoints that return subscriber, affiliate, or commission data.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-7-8-1-sensitive-data-exposure-vulnerability and upgrade to the latest plugin release beyond 7.8.1 via the WordPress plugin dashboard. As compensating controls until patching, restrict access to wp-admin/admin-ajax.php and the plugin's REST routes via a WAF rule (Patchstack, Wordfence, or Cloudflare) targeting the Coupon Affiliates endpoints, which may break legitimate affiliate dashboard functionality, or deactivate the plugin entirely if affiliate features are not business-critical, which will disable coupon attribution and commission tracking.

Share

CVE-2026-49068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy