CVE-2025-62884 Overview
CVE-2025-62884 is a Missing Authorization vulnerability [CWE-862] in the Coupon Affiliates WordPress plugin (woo-coupon-usage) developed by Elliot Sowersby / RelyWP. The flaw affects all plugin versions up to and including 7.2.0. The vulnerability allows unauthenticated attackers to access functionality that is not properly constrained by Access Control Lists (ACLs), leading to limited integrity impact on affected WordPress sites.
Critical Impact
Unauthenticated network-based attackers can invoke restricted plugin functionality due to broken access control, potentially modifying data managed by the Coupon Affiliates plugin.
Affected Products
- Elliot Sowersby / RelyWP Coupon Affiliates (woo-coupon-usage)
- All plugin versions from n/a through 7.2.0
- WordPress sites running WooCommerce with the affected plugin installed
Discovery Timeline
- 2025-10-27 - CVE-2025-62884 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-62884
Vulnerability Analysis
The vulnerability stems from a Missing Authorization weakness in the Coupon Affiliates plugin. The plugin exposes functionality that fails to verify user permissions before execution. Attackers can reach these endpoints over the network without authentication or user interaction.
The issue is classified under CWE-862: Missing Authorization. It reflects a design gap where sensitive actions rely on obscurity rather than enforced capability checks. Exploitation results in limited integrity impact, with no direct effect on confidentiality or availability according to the published CVSS vector.
The EPSS score sits at 0.249% with a percentile of 16.08, indicating relatively low current exploitation probability. However, WordPress plugin vulnerabilities frequently see opportunistic scanning once details become public.
Root Cause
The plugin registers callable handlers (typically WordPress AJAX actions or REST endpoints) without invoking capability checks such as current_user_can() or nonce validation. This omission lets any HTTP client reach the underlying business logic. Broken access control in WordPress plugins commonly arises from wp_ajax_nopriv_ hooks that expose privileged actions to unauthenticated users.
Attack Vector
An attacker sends crafted HTTP requests directly to the plugin's exposed endpoints on a target WordPress site. No credentials, tokens, or social engineering are required. The attacker leverages the missing ACL enforcement to invoke functionality intended for administrators, shop managers, or affiliates. See the Patchstack WordPress Vulnerability Report for endpoint-level details.
Detection Methods for CVE-2025-62884
Indicators of Compromise
- Unauthenticated POST or GET requests to admin-ajax.php referencing woo-coupon-usage actions from unexpected source IP addresses.
- Unexpected modifications to affiliate coupon assignments, commission records, or affiliate user metadata.
- Access log entries showing high-frequency requests to plugin-specific REST routes without valid session cookies.
Detection Strategies
- Inventory WordPress installations and identify sites running Coupon Affiliates versions <= 7.2.0.
- Audit web server access logs for requests targeting plugin endpoints without authenticated session cookies or valid nonces.
- Correlate WooCommerce order and coupon audit trails against expected affiliate activity to surface unauthorized changes.
Monitoring Recommendations
- Enable WordPress activity logging to record plugin-level actions and administrative changes.
- Deploy a web application firewall (WAF) rule set that blocks unauthenticated access to sensitive admin-ajax.php action names.
- Alert on anomalous spikes in requests to /wp-admin/admin-ajax.php or plugin REST namespaces from single source IPs.
How to Mitigate CVE-2025-62884
Immediate Actions Required
- Update the Coupon Affiliates plugin to a version later than 7.2.0 as soon as the vendor publishes a patched release.
- If a patched version is not yet available, deactivate the woo-coupon-usage plugin until remediation is confirmed.
- Review affiliate and coupon records for unauthorized modifications made prior to remediation.
Patch Information
Refer to the Patchstack advisory for the Coupon Affiliates plugin for the current patch status and vendor guidance. Administrators should track updates via the WordPress plugin repository and apply fixes promptly once released.
Workarounds
- Restrict access to wp-admin/admin-ajax.php via WAF rules or server-level ACLs where feasible.
- Apply virtual patching through a WAF to enforce authentication on affected plugin endpoints.
- Limit the plugin's exposure by placing the WordPress admin area behind IP allowlists or VPN access controls.
# Example: block unauthenticated access to plugin AJAX actions via nginx
location = /wp-admin/admin-ajax.php {
if ($arg_action ~* "^(wcu_|woo_coupon_)") {
if ($http_cookie !~* "wordpress_logged_in") {
return 403;
}
}
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

