CVE-2025-54025 is a Missing Authorization vulnerability (CWE-862) identified in the Coupon Affiliates plugin developed by Elliot Sowersby / RelyWP, affecting versions up to 6.4.0. This vulnerability arises from incorrectly configured access control security levels, allowing unauthorized users to perform actions or access resources that should be restricted. The CVSS v3.1 score of 6.5 (medium severity) indicates that the vulnerability can be exploited remotely (AV:N) without any privileges (PR:N) or user interaction (UI:N), and it impacts the integrity and availability of the affected system (I:L, A:L) but not confidentiality (C:N). The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component itself. Since the vulnerability involves missing authorization, attackers can potentially manipulate or disrupt the plugin’s functionality, such as altering affiliate coupon data or interfering with affiliate tracking, which could lead to data integrity issues or denial of service conditions. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations using this plugin should be vigilant and monitor for updates. The vulnerability is particularly relevant to WordPress sites using the Coupon Affiliates plugin for managing affiliate marketing and coupon distribution, which may be targeted to manipulate affiliate commissions or disrupt marketing operations.

For European organizations utilizing the Coupon Affiliates plugin, this vulnerability could lead to unauthorized modification or disruption of affiliate marketing data, potentially causing financial losses through fraudulent affiliate commissions or loss of revenue due to disrupted marketing campaigns. The integrity and availability impact could undermine trust in affiliate relationships and damage brand reputation. Since the vulnerability can be exploited remotely without authentication or user interaction, attackers could automate attacks at scale, affecting multiple organizations. This is especially critical for e-commerce businesses and marketing agencies relying on affiliate programs for revenue generation. Additionally, compromised affiliate data could indirectly affect GDPR compliance if personal data is manipulated or exposed during exploitation, leading to regulatory and legal consequences.

Organizations should immediately audit their use of the Coupon Affiliates plugin and restrict its exposure to untrusted networks. Until an official patch is released, consider disabling or uninstalling the plugin if feasible. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. Monitor logs for unusual activity related to affiliate coupon management functions. Limit plugin administrative access strictly to trusted users and enforce least privilege principles. Regularly check for updates from the vendor and apply patches promptly once available. Additionally, conduct thorough access control reviews on all WordPress plugins and themes to ensure proper authorization mechanisms are in place. Employ segmentation and network-level controls to reduce the attack surface of WordPress installations hosting this plugin.