CVE-2025-8692 identifies an SQL Injection vulnerability in the Coupon API plugin for WordPress, maintained by kamilkhan. The vulnerability arises from improper neutralization of special characters in the 'log_duration' parameter, which is used in SQL queries without adequate escaping or prepared statements. This flaw allows an attacker with authenticated administrator-level access to append arbitrary SQL commands to existing queries. As a result, attackers can extract sensitive information from the backend database, such as user data, coupon codes, or other confidential information stored within the WordPress database. The vulnerability affects all versions of the plugin up to and including 6.2.9. Exploitation does not require user interaction but does require high privileges, limiting the attack surface to trusted users or compromised administrator accounts. The CVSS 3.1 base score is 4.9, indicating medium severity, with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, meaning network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No public exploits or patches are currently available, so mitigation relies on access control and monitoring. The vulnerability is classified under CWE-89, a common and critical injection weakness.

The primary impact of CVE-2025-8692 is unauthorized disclosure of sensitive information stored in the WordPress database via SQL Injection. Since exploitation requires administrator-level access, the threat is mainly from insider threats or attackers who have already compromised an admin account. Successful exploitation could lead to leakage of user credentials, coupon codes, transaction data, or other sensitive business information, potentially facilitating further attacks or fraud. The vulnerability does not allow modification or deletion of data (no integrity or availability impact), limiting the scope to confidentiality breaches. Organizations relying on the Coupon API plugin in their WordPress environments, especially those handling sensitive customer or financial data, face increased risk of data exposure. The medium severity rating reflects the balance between the potential damage and the required privileges. If exploited, it could undermine customer trust and lead to regulatory or compliance issues related to data protection.

To mitigate CVE-2025-8692, organizations should first verify if they are using the affected Coupon API plugin versions up to 6.2.9 and plan immediate updates once patches become available. In the absence of official patches, administrators should restrict access to the WordPress admin panel to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of compromised admin accounts. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns in the 'log_duration' parameter can provide temporary protection. Regularly audit and monitor database queries and logs for unusual activity indicative of SQL injection attempts. Additionally, consider isolating the WordPress database with least privilege principles, ensuring that the database user associated with the plugin has minimal permissions necessary to operate. Finally, educate administrators about the risks of SQL injection and the importance of secure plugin management.