CVE-2025-64358 Overview
CVE-2025-64358 is a missing authorization vulnerability in the WebToffee Smart Coupons for WooCommerce WordPress plugin (wt-smart-coupons-for-woocommerce). The flaw affects all versions up to and including 2.2.3. The plugin exposes functionality without properly validating the security level of the requesting user, allowing authenticated users with low privileges to access restricted operations. The issue is classified under CWE-862: Missing Authorization and results in unauthorized read access to protected coupon-related data.
Critical Impact
Authenticated attackers with low-level privileges can bypass access controls on the Smart Coupons plugin, leading to confidentiality loss across affected WooCommerce stores.
Affected Products
- WebToffee Smart Coupons for WooCommerce plugin versions through 2.2.3
- WordPress installations running WooCommerce with the affected plugin
- E-commerce sites with authenticated low-privilege user accounts (subscribers, customers)
Discovery Timeline
- 2025-10-31 - CVE-2025-64358 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64358
Vulnerability Analysis
The Smart Coupons for WooCommerce plugin fails to enforce proper authorization checks on one or more endpoints. Attackers with a valid authenticated session, including low-privileged accounts such as subscribers or customers, can invoke functionality intended for higher-privileged users. The vulnerability results from incorrectly configured access control security levels rather than a complete absence of authentication.
Successful exploitation compromises the confidentiality of coupon data managed by the plugin. Because WooCommerce sites commonly allow open customer registration, the barrier to obtaining a valid authenticated session is minimal. The vulnerability does not impact data integrity or availability based on the published metrics.
Root Cause
The root cause is a missing or incomplete capability check within plugin request handlers. WordPress plugins must validate the current user's role and capability using functions such as current_user_can() before serving privileged actions. When these checks are absent or misconfigured, any authenticated user may reach the underlying handler regardless of intended role restrictions.
Attack Vector
The vulnerability is exploitable over the network by any authenticated user. An attacker registers or logs in as a low-privileged user on the target WordPress site, then issues crafted HTTP requests to the vulnerable plugin endpoints. No user interaction is required beyond the attacker's own session. Detailed exploitation specifics are documented in the Patchstack Vulnerability Report.
Detection Methods for CVE-2025-64358
Indicators of Compromise
- Unexpected HTTP requests from low-privileged authenticated sessions targeting wt-smart-coupons-for-woocommerce plugin endpoints
- WordPress access logs showing subscriber or customer accounts accessing coupon administration actions
- Anomalous AJAX or REST API calls referencing Smart Coupons handlers from non-admin user IDs
Detection Strategies
- Audit WordPress activity logs for authenticated actions performed by non-administrator accounts against plugin endpoints
- Deploy a web application firewall rule to inspect requests to /wp-admin/admin-ajax.php and REST routes tied to the Smart Coupons plugin
- Correlate authentication events with plugin-specific actions to identify privilege boundary violations
Monitoring Recommendations
- Enable verbose logging for WooCommerce and plugin activity, including user IDs and requested actions
- Monitor for spikes in registration followed by immediate plugin endpoint access
- Track HTTP response codes on plugin routes to identify probing behavior
How to Mitigate CVE-2025-64358
Immediate Actions Required
- Update Smart Coupons for WooCommerce to a version newer than 2.2.3 as soon as a patched release is available from WebToffee
- Review WordPress user accounts and remove or downgrade unused subscriber and customer accounts
- Restrict new user registration on affected WooCommerce sites until the plugin is updated
Patch Information
The vulnerability affects Smart Coupons for WooCommerce versions up to and including 2.2.3. Administrators should consult the vendor and the Patchstack Vulnerability Report for the current fixed version and apply the update through the WordPress plugin manager.
Workarounds
- Temporarily deactivate the Smart Coupons for WooCommerce plugin until a patched version is installed
- Apply virtual patching through a web application firewall to block unauthorized requests to plugin endpoints
- Enforce least-privilege by auditing user role assignments and disabling open registration where feasible
# Disable the vulnerable plugin via WP-CLI until patched
wp plugin deactivate wt-smart-coupons-for-woocommerce
# Optionally disable open user registration
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

