The vulnerability stems from missing checks for the 'enable_coupons' configuration in two critical paths: 1) The checkout flow (CheckoutManager.php) didn't validate the coupon feature status before applying discounts. 2) The coupon processing endpoint (functions.php) didn't verify the global enablement flag. The patches explicitly added these missing checks (via $canUseCoupons in CheckoutManager and get_option('enable_coupons') in functions.php), confirming these were the vulnerable points.