Description
Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit affiliate-toolkit-starter allows Cross Site Request Forgery.This issue affects affiliate-toolkit: from n/a through <= 3.7.3.
Published: 2025-04-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Cross‑Site Request Forgery flaw (CWE‑352) that permits an attacker to trick a logged‑in WordPress user into executing unintended actions through the affiliate‑toolkit plugin. It is inferred that the attacker requires an authenticated victim session, as CSRF typically exploits logged‑in users. It does not enable remote code execution, but it can lead to unauthorized modifications of site settings or data processed by the plugin.

Affected Systems

The affected component is the SERVIT Software Solutions affiliate‑toolkit plugin for WordPress, versions up through 3.7.3. Any WordPress site using these releases should verify the installed plugin version.

Risk and Exploitability

The EPSS score is below 1 %, suggesting that exploitation is expected to be uncommon, and the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that a CSRF attack requires an authenticated victim, typically via an known browsing session or compromised account. The likely attack vector involves an attacker crafting malicious URLs or embedding forms that trigger the plugin to process the request without proper validation. The CVSS score of 5.4 reflects a moderate impact on confidentiality, integrity, and availability.

Generated by OpenCVE AI on May 2, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to affiliate‑toolkit v3.7.4 or later to eliminate the CSRF flaw.
  • Employ a CSRF mitigation measure, such as adding a nonce or state parameter to all plugin requests, or configuring a web application firewall rule to block unexpected plugin POST operations.
  • Monitor plugin and user activity logs for anomalous requests that may indicate CSRF exploitation.
  • Periodically check the vendor’s official website for additional security updates or advisories.

Generated by OpenCVE AI on May 2, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12316 Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit allows Cross Site Request Forgery. This issue affects affiliate-toolkit: from n/a through 3.7.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit allows Cross Site Request Forgery. This issue affects affiliate-toolkit: from n/a through 3.7.3. Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit affiliate-toolkit-starter allows Cross Site Request Forgery.This issue affects affiliate-toolkit: from n/a through <= 3.7.3.
Title WordPress affiliate-toolkit <= 3.7.3 - Cross Site Request Forgery (CSRF) Vulnerability WordPress affiliate-toolkit plugin <= 3.7.3 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 30 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Servit
Servit affiliate-toolkit
CPEs cpe:2.3:a:servit:affiliate-toolkit:*:*:*:*:*:wordpress:*:*
Vendors & Products Servit
Servit affiliate-toolkit

Tue, 22 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit allows Cross Site Request Forgery. This issue affects affiliate-toolkit: from n/a through 3.7.3.
Title WordPress affiliate-toolkit <= 3.7.3 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Servit Affiliate-toolkit
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.655Z

Reserved: 2025-04-22T08:46:38.826Z

Link: CVE-2025-46231

cve-icon Vulnrichment

Updated: 2025-04-22T14:34:14.103Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:16.170

Modified: 2026-04-23T15:29:54.933

Link: CVE-2025-46231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:00:15Z

Weaknesses