Vulnerability Analysis: CVE-2026-45438 - Missing Authorization in Smart Coupons For WooCommerce Coupons

The Smart Coupons For WooCommerce Coupons plugin (versions < 2.3.0) contains a missing authorization vulnerability in its cross-promotion banner system. Specifically, the AJAX handlers used to manage the "Accessibility CTA" banner and potentially other banners (like the EMA or CTA banners added in 2.2.8) lack proper nopriv registration or fail to strictly enforce capability checks across all banner-related actions, allowing unauthenticated attackers to perform unauthorized actions such as dismissing administrative notices or triggering background processes.

The CVSS vector AV:N/AC:L/PR:N/UI:N confirms this is unauthenticated. Based on the source code of Wbte_Accessibility_Banner, while some methods have current_user_can checks, the presence of these banner management functions and their AJAX registrations is the primary attack surface. In vulnerable versions, the wp_ajax_nopriv_ versions of these actions are either registered without checks or the existing checks are insufficient.

1. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Action: wbte_accessibility_dismiss_banner, wbte_accessibility_remind_later, or wbte_accessibility_install_plugin (and potentially similar actions in Wbte_Cta_Banner or Wbte_Ema_Banner).