CVE-2025-64358 identifies a missing authorization vulnerability in the WebToffee Smart Coupons plugin for WooCommerce, versions up to and including 2.2.3. This vulnerability arises from incorrectly configured access control mechanisms within the plugin, which manages coupon creation and redemption functionalities for WooCommerce-based online stores. Specifically, unauthorized users can exploit this flaw to perform actions that should require elevated permissions, due to the absence of proper authorization checks. The vulnerability requires user interaction but no prior authentication, and it is exploitable remotely over the network. The CVSS 3.1 base score of 4.3 reflects a low impact on confidentiality, with no impact on integrity or availability, indicating that while unauthorized information disclosure is possible, the core data and service functionality remain intact. No public exploits have been reported to date, and no official patches have been linked yet. The vulnerability could allow attackers to manipulate coupon data, potentially leading to unauthorized discounts or coupon misuse, which can affect business revenue and customer trust. The plugin is widely used in WooCommerce installations, a popular e-commerce platform, making this a relevant concern for online retailers relying on this tool for promotional campaigns.

For European organizations, especially e-commerce businesses using WooCommerce with the WebToffee Smart Coupons plugin, this vulnerability poses a risk of unauthorized coupon manipulation. This can lead to financial losses through unintended discounts or fraudulent coupon usage, undermining revenue streams. Additionally, such unauthorized actions may damage customer trust and brand reputation if exploited. While the vulnerability does not directly compromise data integrity or availability, the potential for unauthorized information disclosure about coupon configurations exists. Given the widespread adoption of WooCommerce in Europe, particularly in countries with mature e-commerce markets, the impact could be significant for mid-sized to large online retailers. The lack of authentication requirements lowers the barrier for exploitation, increasing the risk profile. However, the requirement for user interaction somewhat limits automated exploitation. Organizations may also face compliance and audit challenges if unauthorized coupon activities are detected during financial reviews.

Organizations should monitor WebToffee’s official channels for the release of a security patch addressing CVE-2025-64358 and apply it immediately upon availability. Until patched, administrators should restrict access to the Smart Coupons plugin’s management interfaces to trusted users only, employing role-based access controls and minimizing permissions. Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious coupon-related requests can provide temporary protection. Regularly auditing coupon creation and redemption logs for anomalies can help detect exploitation attempts early. Additionally, organizations should educate staff about the risk of social engineering or phishing that could trigger user interaction exploitation. Where possible, disabling or limiting coupon functionalities temporarily may be considered if the risk is deemed high. Finally, integrating security monitoring tools to alert on unusual coupon activity will enhance detection capabilities.