CVE-2025-66154 is a vulnerability classified under CWE-862 (Missing Authorization) found in the merkulove Couponer for Elementor plugin, a WordPress extension used to manage coupons and discounts. The flaw arises from incorrectly configured access control mechanisms, allowing users with limited privileges (e.g., authenticated users with lower roles) to perform actions that should be restricted. This lack of proper authorization checks can lead to unauthorized modifications of coupon data or disruption of coupon functionality, impacting the integrity and availability of the system. The vulnerability affects all versions up to 1.1.7, with no patches currently available. The CVSS 3.1 score of 5.4 indicates a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), but with integrity (I:L) and availability (A:L) impacts. No known exploits have been reported in the wild, but the vulnerability poses a risk to websites relying on this plugin for coupon management, especially in e-commerce environments. The vulnerability was reserved and published in late 2025, indicating recent discovery and disclosure.

For European organizations, particularly those operating e-commerce platforms or marketing websites using WordPress with the Couponer for Elementor plugin, this vulnerability could allow unauthorized users with limited privileges to manipulate coupon data or disrupt coupon services. This can lead to financial losses through unauthorized discounts, reputational damage, and potential service outages affecting customer experience. The integrity of promotional campaigns may be compromised, and availability issues could disrupt sales operations. Since the vulnerability requires some level of authentication, external attackers may need to gain initial access or exploit insider accounts. The absence of confidentiality impact reduces risks related to data leakage, but the integrity and availability concerns remain significant. Organizations in sectors heavily reliant on online sales and promotions are at higher risk, and the medium severity suggests prioritizing mitigation but not immediate emergency response.

1. Restrict access to the Couponer for Elementor plugin functions by enforcing strict role-based access controls, ensuring only trusted administrators or authorized personnel can manage coupons. 2. Monitor user activity logs for unusual coupon-related actions, especially from accounts with limited privileges. 3. Disable or uninstall the plugin if it is not essential to reduce the attack surface. 4. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting coupon management endpoints. 5. Regularly review and update WordPress user roles and permissions to minimize privilege escalation risks. 6. Stay informed about vendor updates and apply patches immediately once released. 7. Conduct internal audits and penetration testing focused on authorization controls within WordPress plugins. 8. Educate staff about the risks of privilege misuse and enforce strong authentication mechanisms to prevent unauthorized access.