CVE-2025-14070: Reviewify WordPress Auth Bypass Flaw

CVE-2025-14070 Overview

CVE-2025-14070 affects the Reviewify plugin for WordPress in all versions up to and including 1.0.7. The vulnerability stems from a missing capability check on the send_test_email AJAX action handler. Authenticated users with Contributor-level access or above can invoke the action to create arbitrary WooCommerce discount coupons. Successful exploitation enables attackers to issue unauthorized discounts and inflict financial loss on affected stores. The flaw is classified under CWE-862: Missing Authorization.

Critical Impact

Authenticated Contributor accounts can generate arbitrary WooCommerce discount coupons, leading to direct revenue loss for affected merchants.

Affected Products

• Reviewify plugin for WordPress versions 1.0.0 through 1.0.7
• WooCommerce stores using the vulnerable plugin to manage review-based discounts
• WordPress sites permitting Contributor-level user registration

Discovery Timeline

• 2026-01-07 - CVE-2025-14070 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-14070

Vulnerability Analysis

The Reviewify plugin registers a send_test_email AJAX action intended to validate email delivery for review-discount notifications. The handler in admin/class-xswcrd-review-discounts-admin.php accepts authenticated AJAX requests but omits a current_user_can() capability check. As a result, any authenticated user — including low-privilege Contributors — can invoke the endpoint.

Despite the function name implying a test-email workflow, the underlying logic creates WooCommerce coupons as part of its execution path. Attackers can therefore generate arbitrary discount codes outside of the intended administrative workflow. Coupons created this way can be redeemed at checkout, monetizing the exploitation against the WooCommerce store.

Root Cause

The root cause is improper authorization on a privileged administrative AJAX endpoint. The handler verifies that a request is authenticated but does not validate the caller's role or capabilities. WordPress treats Contributors as content authors, not store administrators, so coupon creation should require manage_woocommerce or equivalent capabilities. The omission allows horizontal and vertical privilege escalation against the WooCommerce coupon subsystem.

Attack Vector

Exploitation requires an authenticated WordPress session with at least Contributor permissions. The attacker submits a crafted POST request to /wp-admin/admin-ajax.php specifying action=send_test_email along with parameters that drive coupon creation. Because no capability gate exists, the handler proceeds to create a coupon record in the WooCommerce database. No user interaction from an administrator is required, and the attack is reachable over the network through standard HTTP requests.

No verified proof-of-concept code is available in public sources. Technical details of the affected code path are documented in the WordPress Plugin Code Review for 1.0.6 and the Wordfence Vulnerability Analysis.

Detection Methods for CVE-2025-14070

Indicators of Compromise

• Unexpected WooCommerce coupon records created by non-administrator user IDs
• POST requests to /wp-admin/admin-ajax.php containing action=send_test_email from Contributor or Author accounts
• Spikes in coupon redemptions tied to recently created discount codes
• WooCommerce audit log entries showing coupon creation without corresponding admin UI sessions

Detection Strategies

• Review web server access logs for admin-ajax.php requests with the send_test_email action parameter
• Correlate coupon creation timestamps in the wp_posts table (post_type shop_coupon) with the originating user role
• Alert on AJAX action invocations originating from accounts that do not have manage_woocommerce capability

Monitoring Recommendations

• Enable WordPress and WooCommerce audit logging for coupon creation, modification, and redemption events
• Forward web server and WordPress logs to a centralized SIEM for correlation across requests, users, and database changes
• Track Contributor and Author account activity for unusual administrative AJAX calls

How to Mitigate CVE-2025-14070

Immediate Actions Required

• Update the Reviewify plugin to a version newer than 1.0.7 once a fixed release is published by the vendor
• Audit existing WooCommerce coupons and remove any that were not created by authorized administrators
• Restrict Contributor-level registration on production stores until the plugin is patched
• Review user role assignments and revoke unnecessary elevated permissions

Patch Information

The vendor addressed the underlying handler in WordPress Changeset #3434387. Site administrators should upgrade to the latest available Reviewify release that incorporates this changeset. The current vulnerable code path remains visible in the plugin trunk source for verification against deployed versions. Additional analysis is available from Wordfence.

Workarounds

• Deactivate the Reviewify plugin until a patched version can be installed
• Apply a web application firewall rule blocking admin-ajax.php requests with action=send_test_email from non-administrator sessions
• Temporarily disable user registration or require manual approval for new accounts
• Restrict WooCommerce coupon creation through database-level monitoring and alerting