Description
The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-04-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Coupon Affiliates – Affiliate Plugin for WooCommerce is vulnerable to reflected cross‑site scripting through the commission_summary parameter. Insufficient input sanitization and output escaping allow an unauthenticated attacker to inject arbitrary JavaScript that executes when a victim follows a crafted link. If the victim performs the expected action, the injected script can steal session cookies, deface content, or obtain sensitive data. The flaw relies solely on user interaction and does not require prior authentication or privileged access.

Affected Systems

WordPress sites that use the Coupon Affiliates – Affiliate Plugin for WooCommerce version 6.3.0 or earlier are affected. The vulnerability applies to all releases up to and including 6.3.0, regardless of custom configuration or usage of the commission_summary parameter.

Risk and Exploitability

The flaw carries a CVSS score of 6.1, indicating a moderate severity. Its EPSS score is reported as less than 1 %, suggesting a low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack vector involves an attacker delivering a malicious URL that contains a crafted commission_summary value, which a victim is then lured to click. Successful exploitation requires only that a user visit the URL; no authentication or additional system compromise is needed.

Generated by OpenCVE AI on April 22, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Coupon Affiliates – Affiliate Plugin for WooCommerce to version 6.3.1 or later to remove the vulnerable parameter handling code.
  • If an immediate update is unavailable, configure a web‑application firewall or rewrite rules to strip or escape the commission_summary parameter before it reaches the plugin script. This mitigates the XSS risk by preventing execution of injected code.
  • Implement ongoing monitoring for anomalous user activity or unexpected script executions on WordPress front‑end pages, and investigate any suspicious requests containing the commission_summary parameter.

Generated by OpenCVE AI on April 22, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11848 The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Fri, 18 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Coupon Affiliates – Affiliate Plugin for WooCommerce <= 6.3.0 - Reflected Cross-Site Scripting via 'commission_summary' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:11.694Z

Reserved: 2025-04-14T15:00:30.555Z

Link: CVE-2025-3598

cve-icon Vulnrichment

Updated: 2025-04-18T11:47:46.993Z

cve-icon NVD

Status : Deferred

Published: 2025-04-18T06:15:44.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses