CVE-2025-8692
BaseFortify
Publication date: 2025-09-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | coupon_api | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Coupon API plugin for WordPress is an SQL Injection via the 'log_duration' parameter. This occurs because the plugin does not properly escape or prepare the user-supplied 'log_duration' parameter in its SQL queries. As a result, authenticated users with Administrator-level access or higher can inject additional SQL commands into existing queries. This can allow them to extract sensitive information from the database.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with Administrator-level access to extract sensitive information from your WordPress site's database. Although the attacker must already have high-level privileges, they can exploit this flaw to gain unauthorized access to data that should be protected, potentially leading to data breaches or exposure of confidential information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it allows unauthorized extraction of sensitive data from the database. Such data breaches can lead to violations of data protection and privacy regulations, resulting in legal and financial consequences for failing to adequately protect personal or sensitive information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Coupon API plugin for WordPress to a version later than 6.2.9 where the SQL Injection vulnerability via the 'log_duration' parameter is fixed. Additionally, restrict Administrator-level access to trusted users only, as exploitation requires such privileges. Monitor and audit administrator activities for suspicious behavior until the plugin is updated.