CVE-2025-64241 identifies a missing authorization vulnerability in the WP Coupons and Deals plugin for WordPress, developed by Imtiaz Rayhan. This vulnerability arises from incorrectly configured access control security levels within the plugin, allowing users with low privileges (PR:L) to perform actions or access resources that should be restricted. The plugin version affected is up to and including 3.2.4, with no specific version range provided beyond that. The vulnerability is exploitable remotely over the network (AV:N) without requiring user interaction (UI:N), and it does not elevate privileges beyond the attacker's existing level. The impact is limited to confidentiality (C:L), with no direct effect on integrity or availability. This means an attacker could potentially access sensitive coupon or deal information that should be protected but cannot modify or disrupt the system. The CVSS score of 4.3 reflects this moderate risk. No known exploits are currently reported in the wild, and no official patches have been released as of the publication date. The vulnerability highlights the importance of proper access control implementation in WordPress plugins, especially those handling commercial or customer-related data. Organizations using this plugin should monitor for updates and review their access policies to mitigate risk.

For European organizations, especially those operating e-commerce platforms or marketing websites using WordPress and the WP Coupons and Deals plugin, this vulnerability could lead to unauthorized disclosure of coupon or promotional data. While the impact on confidentiality is limited, exposure of coupon codes or deal information could undermine marketing strategies, cause financial loss, or damage customer trust. Since the vulnerability does not affect integrity or availability, it is less likely to cause direct service disruption or data tampering. However, unauthorized access could be leveraged as a foothold for further attacks if combined with other vulnerabilities. The risk is heightened for organizations with multiple users having low-level privileges, as attackers can exploit these accounts remotely without user interaction. Given the widespread use of WordPress in Europe, the vulnerability poses a moderate threat to businesses relying on this plugin for promotional activities.

1. Immediately restrict access to the WP Coupons and Deals plugin features to only trusted and necessary users, minimizing the number of accounts with low privileges that could exploit this flaw. 2. Implement strict role-based access control (RBAC) policies within WordPress to ensure users have the minimum required permissions. 3. Monitor logs and user activity for unusual access patterns related to coupon or deal management functions. 4. Disable or remove the WP Coupons and Deals plugin if it is not essential to business operations until a patch is available. 5. Regularly check for updates from the plugin developer or security advisories and apply patches promptly once released. 6. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. 7. Educate administrators and users about the risks of privilege misuse and enforce strong authentication mechanisms to reduce the risk of account compromise.