PatchSiren cyber security CVE debrief
CVE-2026-45438 WebToffee CVE debrief
A Missing Authorization vulnerability (CWE-862) in the Smart Coupons for WooCommerce WordPress plugin allows unauthenticated attackers to exploit incorrectly configured access control security levels. The vulnerability affects all versions prior to 2.3.0 and has been assigned a CVSS 3.1 score of 7.5 (HIGH), indicating significant risk due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. The confidentiality impact is none, but integrity impact is high, with no availability impact. The CVE was published on May 25, 2026, and modified on May 26, 2026. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Vendor attribution is pending review based on reference domain evidence from Patchstack.
- Vendor
- WebToffee
- Product
- Smart Coupons for WooCommerce
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators running WooCommerce with the Smart Coupons for WooCommerce plugin; e-commerce security teams; managed WordPress hosting providers; organizations with PCI-DSS compliance requirements for payment card environments.
Technical summary
The Smart Coupons for WooCommerce plugin prior to version 2.3.0 contains a Missing Authorization vulnerability (CWE-862) that permits attackers to bypass intended access controls. The vulnerability is remotely exploitable without authentication or user interaction, with a CVSS 3.1 base score of 7.5 (HIGH). The attack vector is network-based with low complexity. While confidentiality and availability are not impacted, the integrity impact is rated HIGH, suggesting attackers may be able to modify coupon data or perform unauthorized administrative actions on coupon configurations. The root cause is attributed to incorrectly configured access control security levels within the plugin.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Smart Coupons for WooCommerce to version 2.3.0 or later to remediate this vulnerability.
- Review WordPress plugin inventory to identify installations of Smart Coupons for WooCommerce running versions prior to 2.3.0.
- Monitor for unauthorized coupon modifications or administrative actions that may indicate exploitation attempts.
- Apply principle of least privilege to WordPress user accounts and review access control configurations.
- Subscribe to vendor security advisories from WebToffee for future vulnerability notifications.
Evidence notes
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. CWE-862 (Missing Authorization) identified as primary weakness. Affected product: Smart Coupons for WooCommerce by WebToffee. Fixed version: 2.3.0.
Official resources
-
CVE-2026-45438 CVE record
CVE.org
-
CVE-2026-45438 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The CVE was published on May 25, 2026, with a modification on May 26, 2026. The NVD entry currently shows a status of 'Deferred'. No KEV entry exists as of the source publication date.