CVE-2025-62884 identifies a missing authorization vulnerability in the Coupon Affiliates WordPress plugin developed by Elliot Sowersby / RelyWP, specifically affecting versions up to and including 7.0.3. The flaw arises because certain plugin functionalities are accessible without proper Access Control Lists (ACLs), allowing unauthenticated remote attackers to invoke these functions without any privilege checks. This vulnerability is network exploitable (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it relatively easy to exploit remotely. The impact is limited to confidentiality loss (C:L), with no integrity (I:N) or availability (A:N) impact reported. The plugin is commonly used in WooCommerce environments to manage coupon affiliate marketing, meaning that unauthorized access could expose sensitive coupon usage data or allow attackers to manipulate affiliate-related features. Although no public exploits are known at this time, the vulnerability's presence in a widely used e-commerce plugin raises concerns about potential misuse. The lack of patches at the time of disclosure necessitates immediate attention from administrators to monitor and restrict access to vulnerable plugin endpoints. The vulnerability was published on October 27, 2025, and assigned a CVSS v3.1 score of 5.3, categorizing it as medium severity.

For European organizations, particularly those operating e-commerce platforms using WooCommerce with the Coupon Affiliates plugin, this vulnerability could lead to unauthorized access to coupon affiliate functionalities. This may result in exposure of sensitive marketing data, unauthorized coupon usage tracking, or manipulation of affiliate commissions. Although the vulnerability does not directly compromise system integrity or availability, the confidentiality breach could undermine business trust, lead to financial discrepancies, and damage brand reputation. Attackers exploiting this flaw could gain insights into affiliate marketing strategies or customer coupon usage patterns, which could be leveraged for further targeted attacks or fraud. Given the plugin’s role in affiliate marketing, misuse could disrupt affiliate relationships or cause financial losses. The absence of known exploits reduces immediate risk, but the ease of exploitation and lack of required authentication make it a significant concern for organizations relying on this plugin.

1. Monitor official channels from Elliot Sowersby / RelyWP for patch releases and apply updates promptly once available. 2. Until patches are released, restrict access to the plugin’s endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests targeting Coupon Affiliates functionalities. 3. Limit plugin usage to trusted administrators and disable or remove the plugin if it is not essential. 4. Conduct regular audits of WooCommerce plugins and their permissions to ensure no unauthorized access paths exist. 5. Implement strict network segmentation to isolate e-commerce backend systems from public internet access where feasible. 6. Enable detailed logging and monitoring of coupon affiliate activities to detect anomalous or unauthorized usage patterns. 7. Educate internal teams about the vulnerability and encourage vigilance for suspicious affiliate marketing behavior or data anomalies. 8. Consider deploying runtime application self-protection (RASP) solutions to detect and block unauthorized function calls within the plugin.