CVE-2026-45438 Overview
CVE-2026-45438 is a Missing Authorization vulnerability [CWE-862] in the WebToffee Smart Coupons for WooCommerce plugin for WordPress. The flaw allows unauthenticated network attackers to exploit incorrectly configured access control security levels to perform actions reserved for authorized users. The vulnerability affects all versions of Smart Coupons for WooCommerce prior to 2.3.0. Because the plugin runs on WooCommerce storefronts, exploitation can directly impact coupon, discount, and order integrity on affected sites.
Critical Impact
Unauthenticated attackers can manipulate plugin functionality over the network without user interaction, resulting in high impact to data integrity on affected WooCommerce stores.
Affected Products
- WebToffee Smart Coupons for WooCommerce plugin for WordPress
- All versions prior to 2.3.0
- WooCommerce stores using the affected plugin versions
Discovery Timeline
- 2026-05-25 - CVE-2026-45438 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-45438
Vulnerability Analysis
The vulnerability stems from broken access control in the Smart Coupons for WooCommerce plugin. The plugin exposes functionality without enforcing proper authorization checks on the requester's role or capabilities. An attacker can reach sensitive plugin endpoints over the network without authentication or user interaction. The result is integrity impact on WooCommerce coupon and discount data, while confidentiality and availability remain unaffected based on the CVSS vector.
The attack surface is the public-facing WordPress site. Because the plugin handles coupon logic tied to commerce transactions, abuse of unprotected actions can lead to unauthorized coupon creation, modification, or application. This type of weakness in WordPress plugins commonly maps to missing current_user_can() checks or absent capability validation in AJAX handlers and REST routes.
Root Cause
The root cause is classified under [CWE-862] Missing Authorization. The plugin code paths perform privileged operations without verifying that the calling user holds the required capability. Authentication state and nonce validation alone are insufficient when capability checks are absent or incorrectly configured.
Attack Vector
The attack vector is network-based with low complexity, no privileges required, and no user interaction. An attacker sends crafted HTTP requests to vulnerable plugin endpoints exposed by the WordPress installation. The vulnerability mechanism is described in the Patchstack Vulnerability Advisory. No verified public exploit code is currently available.
Detection Methods for CVE-2026-45438
Indicators of Compromise
- Unexpected creation, modification, or deletion of coupon records in the WooCommerce database
- Anonymous or unauthenticated HTTP POST requests to Smart Coupons plugin endpoints under /wp-admin/admin-ajax.php or /wp-json/
- Coupon redemption patterns inconsistent with normal customer activity
Detection Strategies
- Review WordPress and web server access logs for requests targeting wt-smart-coupons-for-woocommerce paths from unauthenticated sessions
- Audit the wp_posts and WooCommerce coupon tables for entries created outside expected administrative workflows
- Correlate plugin endpoint requests with the absence of an authenticated wordpress_logged_in cookie
Monitoring Recommendations
- Enable verbose access logging on WordPress sites running WooCommerce and forward logs to a centralized SIEM
- Alert on spikes in admin-ajax.php requests with action parameters referencing Smart Coupons handlers
- Monitor WooCommerce order totals and applied coupon codes for anomalous discount patterns
How to Mitigate CVE-2026-45438
Immediate Actions Required
- Update Smart Coupons for WooCommerce to version 2.3.0 or later on all WordPress sites
- Inventory WordPress installations to identify any instance of the wt-smart-coupons-for-woocommerce plugin
- Review coupon and order records for unauthorized changes prior to patching
Patch Information
Upgrade the WebToffee Smart Coupons for WooCommerce plugin to version 2.3.0 or later. Refer to the Patchstack Vulnerability Advisory for vendor remediation details.
Workarounds
- Deactivate the Smart Coupons for WooCommerce plugin until the patched version can be deployed
- Restrict access to /wp-admin/admin-ajax.php and plugin REST routes at the web application firewall layer
- Apply virtual patching rules at the WAF to block unauthenticated requests to Smart Coupons endpoints
# Configuration example: WAF rule pattern to block unauthenticated access
# to Smart Coupons plugin endpoints (adapt to your WAF syntax)
SecRule REQUEST_URI "@contains wt-smart-coupons-for-woocommerce" \
"id:1004538,phase:1,deny,status:403,\
chain,msg:'Block unauthenticated Smart Coupons access (CVE-2026-45438)'"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
