CVE-2025-54025: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the WordPress Coupon Affiliates plugin, tracked as CVE-2025-54025. The vulnerability affects versions up to 6.4.0 of the Coupon Affiliates plugin developed by Elliot Sowersby / RelyWP, allowing potential exploitation through incorrectly configured access control security levels. The vulnerability was discovered by Denver Jackson and publicly disclosed on August 6, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. It is classified under CWE-862 (Missing Authorization) and primarily involves issues with access control security levels. The vulnerability allows unauthenticated access to settings changes in the plugin (Patchstack).

The vulnerability is considered moderately dangerous and is expected to become exploited. It primarily affects the plugin's settings and could allow unauthorized changes to the plugin configuration. The CVSS score of 6.5 indicates a medium severity impact on the affected systems (Patchstack).

Users are advised to update to version 6.4.2 or later of the Coupon Affiliates plugin, which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).