CVE-2025-8692 is a medium-severity SQL Injection vulnerability affecting the Coupon API plugin for WordPress developed by kamilkhan. This vulnerability exists in all versions up to and including 6.2.9. The root cause is improper neutralization of special elements in SQL commands, specifically through the 'log_duration' parameter. The plugin fails to sufficiently escape or prepare this user-supplied parameter before incorporating it into SQL queries. As a result, authenticated users with Administrator-level privileges or higher can inject additional SQL commands into existing queries. This can lead to unauthorized extraction of sensitive data from the underlying database. The vulnerability requires no user interaction but does require high privileges (admin or above). The CVSS 3.1 base score is 4.9, reflecting a network attack vector with low attack complexity but requiring privileges. The impact is primarily on confidentiality, as attackers can exfiltrate data, while integrity and availability are not directly affected. No known exploits have been reported in the wild yet, and no patches or fixes have been linked at this time. The vulnerability was publicly disclosed in September 2025 and assigned CWE-89, which corresponds to SQL Injection due to improper neutralization of special elements in SQL commands.

For European organizations using WordPress sites with the kamilkhan Coupon API plugin, this vulnerability poses a risk of sensitive data exposure. Since the attack requires administrator-level access, the threat is primarily from insiders or attackers who have already compromised admin credentials. Successful exploitation could lead to leakage of customer data, business intelligence, or other confidential information stored in the database. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations), and potential financial penalties. The impact is more pronounced for e-commerce, retail, or marketing platforms relying on coupon management via this plugin. Although the vulnerability does not allow for data modification or denial of service, the confidentiality breach alone is significant. European organizations must consider the risk of credential compromise combined with this vulnerability to prevent data breaches.

1. Immediately audit all WordPress installations for the presence of the kamilkhan Coupon API plugin and identify versions up to 6.2.9. 2. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Monitor logs and database queries for unusual or suspicious activity indicative of SQL injection attempts, especially involving the 'log_duration' parameter. 4. If possible, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting this parameter. 5. Contact the plugin vendor or monitor official channels for patches or updates addressing this vulnerability and apply them promptly once available. 6. As an interim measure, consider disabling or removing the plugin if it is not critical to business operations. 7. Conduct regular security training for administrators to recognize phishing and other credential theft tactics that could lead to privilege escalation. 8. Review database permissions to ensure that the WordPress database user has the least privileges necessary to limit potential data exposure.