CVE-2025-14070 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Reviewify — Review Discounts & Photo/Video Reviews plugin for WooCommerce on WordPress. The root cause is the absence of a capability check on the 'send_test_email' AJAX action, which is accessible to authenticated users with Contributor-level permissions or higher. This flaw enables such users to create arbitrary WooCommerce discount coupons without proper authorization. Since WooCommerce coupons can directly impact store revenue by providing discounts, unauthorized creation can lead to financial losses and potential abuse of promotional offers. The vulnerability affects all versions up to 1.0.6 inclusive. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required beyond Contributor, no user interaction, and a significant impact on integrity but no impact on confidentiality or availability. The vulnerability was reserved in December 2025 and published in January 2026. No patches or known exploits are currently available, but the issue is publicly disclosed, increasing the risk of exploitation. The flaw is particularly concerning in environments where multiple users have Contributor or higher roles, such as multi-author blogs or stores with delegated content management.

The primary impact of this vulnerability is unauthorized modification of WooCommerce store data, specifically the creation of arbitrary discount coupons. This can lead to direct financial losses due to unauthorized discounts being applied to purchases. Additionally, it can undermine customer trust if fraudulent discounts are exploited or if the store's promotional integrity is compromised. The vulnerability does not affect confidentiality or availability but severely impacts data integrity. Attackers with Contributor-level access, which is a relatively low privilege level, can exploit this flaw without requiring administrator rights or user interaction, increasing the risk in environments with multiple authenticated users. This can also facilitate further attacks by incentivizing fraudulent purchases or coupon abuse. Organizations relying on the affected plugin risk revenue loss, reputational damage, and potential operational disruptions due to the need for incident response and remediation.

To mitigate this vulnerability, organizations should immediately update the Reviewify plugin to a patched version once available from the vendor. Until a patch is released, administrators should restrict Contributor-level access and above to trusted users only, minimizing the risk of exploitation. Implementing strict role-based access controls and auditing user permissions can reduce exposure. Additionally, monitoring WooCommerce coupon creation logs for unusual or unauthorized activity can help detect exploitation attempts early. If feasible, temporarily disabling the 'send_test_email' AJAX action or the Reviewify plugin itself can serve as a stopgap measure. Applying Web Application Firewall (WAF) rules to block suspicious AJAX requests related to coupon creation may also help. Regularly reviewing and tightening WordPress user roles and capabilities, combined with security plugins that enforce capability checks, will further reduce risk. Finally, educating store administrators about this vulnerability and encouraging prompt action is critical.