Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Remote unauthenticated HTTP request to a WordPress plugin endpoint leaks subscriber data; no integrity or availability impact, so C:H only.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Sensitive Data Exposure in Coupon Affiliates <= 7.8.1 versions.
AnalysisAI
Sensitive data exposure in the Coupon Affiliates WordPress plugin (versions 7.8.1 and earlier) allows remote unauthenticated attackers to retrieve confidential subscriber information over the network without any user interaction. The flaw, reported by Patchstack and classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 score reflecting high confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis.
Technical ContextAI
Coupon Affiliates (formerly woo-coupon-usage) is a WooCommerce extension by RelyWP that enables WordPress site owners to manage affiliate-driven coupon campaigns, tracking referrals and commissions tied to subscriber accounts. The affected CPE cpe:2.3:a:relywp:coupon_affiliates covers all versions up through 7.8.1. CWE-497 indicates the plugin exposes sensitive subscriber data - likely through an under-protected REST endpoint, AJAX action, or admin-ajax handler - that should have been restricted to authorized roles. In WordPress plugin ecosystems, this class of bug typically stems from missing capability checks (current_user_can) or nonce validation on endpoints that return subscriber, affiliate, or commission data.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-7-8-1-sensitive-data-exposure-vulnerability and upgrade to the latest plugin release beyond 7.8.1 via the WordPress plugin dashboard. As compensating controls until patching, restrict access to wp-admin/admin-ajax.php and the plugin's REST routes via a WAF rule (Patchstack, Wordfence, or Cloudflare) targeting the Coupon Affiliates endpoints, which may break legitimate affiliate dashboard functionality, or deactivate the plugin entirely if affiliate features are not business-critical, which will disable coupon attribution and commission tracking.
More in Coupon Affiliates
View allUnauthenticated reflected/stored cross-site scripting in the Coupon Affiliates WordPress plugin (versions up to and incl
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36875
GHSA-2fch-5g6g-5j6q