CVE-2025-64358 MEDIUM

CVE-2025-64358: WordPress Smart Coupons for WooCommerce plugin <= 2.2.3 - Broken Access Control vulnerability

Vendor Webtoffee

Product Smart Coupons for WooCommerce

Weakness CWE-862 · Missing authorization

Published October 31, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce wt-smart-coupons-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Coupons for WooCommerce: from n/a through <= 2.2.3.

Explanation of Vulnerability in Simple Terms

02Summary

Smart Coupons for WooCommerce versions up to 2.2.3 lack proper authorization checks, allowing authenticated users to access sensitive coupon data they should not see. An attacker with a low-privilege account can read information about coupons and their details without proper permission validation. This affects WooCommerce sites using the plugin.

What an attacker can do

03Attacker Capabilities

Read coupon data and details that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Coupon strategy and pricing information may be exposed to unauthorized users with site access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the WooCommerce site.

Key dates

06Disclosure timeline

October 31, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64358 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities