Description
Cross-Site Request Forgery (CSRF) vulnerability in bnielsen Affiliate Disclosure Statement affiliate-disclosure-statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through <= 0.3.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Affiliate Disclosure Statement WordPress plugin is vulnerable to a Cross‑Site Request Forgery flaw (CWE‑352). An attacker who tricks an authenticated administrator into loading a crafted page can submit a request that injects arbitrary HTML or JavaScript which is stored by the plugin. When other users view the affected page, the injected code runs in their browsers, enabling session hijacking, defacement, or data theft. With a CVSS score of 7.1, the weakness carries high risk to confidentiality, integrity and availability for sites that rely on the plugin.

Affected Systems

bnielsen’s Affiliate Disclosure Statement plugin, any installation with a version less than or equal to 0.3. This includes all WordPress sites that have not upgraded past that release.

Risk and Exploitability

The EPSS score of less than 1 % suggests that widespread exploitation has not yet been observed, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the CVSS score indicates that a successful CSRF attack could lead to persistent script execution in other visitors’ browsers. The typical attack path involves a malicious site or email that causes a privileged admin to unknowingly submit a forged request; because the plugin lacks a CSRF token, the server stores the malicious payload and serves it to all users.

Generated by OpenCVE AI on May 1, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Affiliate Disclosure Statement to the latest version (≥0.4) that implements proper CSRF protection.
  • If an upgrade cannot be performed immediately, configure the site to require a CSRF token for all POST requests to the plugin, or otherwise restrict the relevant admin endpoints to the logged‑in administrator only.
  • Remove or disable Affiliate Disclosure Statement if the plugin is no longer required, eliminating the attack surface altogether.
  • Implement a strict Content Security Policy that blocks the execution of injected scripts, mitigating the impact of any stored XSS that may already be present.

Generated by OpenCVE AI on May 1, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2830 Cross-Site Request Forgery (CSRF) vulnerability in Jason Keeley, Bryan Nielsen Affiliate Disclosure Statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through 0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jason Keeley, Bryan Nielsen Affiliate Disclosure Statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through 0.3. Cross-Site Request Forgery (CSRF) vulnerability in bnielsen Affiliate Disclosure Statement affiliate-disclosure-statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through <= 0.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jason Keeley, Bryan Nielsen Affiliate Disclosure Statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through 0.3.
Title WordPress Affiliate Disclosure Statement plugin <= 0.3 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.553Z

Reserved: 2025-01-07T10:23:17.403Z

Link: CVE-2025-22552

cve-icon Vulnrichment

Updated: 2025-01-07T16:31:13.908Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:51.277

Modified: 2026-06-17T08:48:12.843

Link: CVE-2025-22552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)