Description
Cross-Site Request Forgery (CSRF) vulnerability in Lora77 WpZon – Amazon Affiliate Plugin wpzon allows Reflected XSS.This issue affects WpZon – Amazon Affiliate Plugin: from n/a through <= 1.3.
Published: 2025-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw that permits an attacker to embed arbitrary JavaScript in a request to the plugin. The malicious script is returned in the response and executed in the victim’s browser, resulting in reflected cross‑site scripting. This can compromise confidentiality and integrity by allowing attackers to steal session cookies, deface pages, or perform other client‑side malicious actions.

Affected Systems

WordPress sites that install the Lora77 WpZon – Amazon Affiliate Plugin version 1.3 or earlier are affected. The plugin is distributed under the Lora77 brand and is active in WordPress installations that do not restrict the plugin’s endpoints to administrators or other authenticated accounts. No operating system or PHP version constraints are specified, so the issue applies to any environment running the vulnerable plugin.

Risk and Exploitability

The CVSS score of 7.1 indicates high potential impact, while the EPSS score of less than 1 % denotes a low probability of exploitation at the present time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can remotely exploit the flaw by constructing a malicious HTTP request that the plugin accepts without CSRF checks; the reflected script then executes when any user—authenticated or not—visits the affected page.

Generated by OpenCVE AI on May 1, 2026 at 09:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WpZon plugin to the latest available release, ensuring that the version you install has removed the CSRF vulnerability.
  • If an upgrade cannot be performed immediately, temporarily disable or remove the plugin to eliminate the vulnerable functionality until a fix is available.
  • Apply a web application firewall rule or similar request filtering to block POST or GET requests that contain suspicious script payloads targeting the plugin’s endpoints, thereby reducing the risk of exploitation.

Generated by OpenCVE AI on May 1, 2026 at 09:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12014 Cross-Site Request Forgery (CSRF) vulnerability in Lora77 WpZon – Amazon Affiliate Plugin allows Reflected XSS. This issue affects WpZon – Amazon Affiliate Plugin: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Lora77 WpZon – Amazon Affiliate Plugin allows Reflected XSS. This issue affects WpZon – Amazon Affiliate Plugin: from n/a through 1.3. Cross-Site Request Forgery (CSRF) vulnerability in Lora77 WpZon – Amazon Affiliate Plugin wpzon allows Reflected XSS.This issue affects WpZon – Amazon Affiliate Plugin: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sat, 26 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Lora77 WpZon – Amazon Affiliate Plugin allows Reflected XSS. This issue affects WpZon – Amazon Affiliate Plugin: from n/a through 1.3.
Title WordPress WpZon – Amazon Affiliate Plugin plugin <= 1.3 - CSRF to XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:39.707Z

Reserved: 2025-04-24T14:23:11.073Z

Link: CVE-2025-46506

cve-icon Vulnrichment

Updated: 2025-04-24T19:54:32.503Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:41.573

Modified: 2026-04-23T15:30:08.180

Link: CVE-2025-46506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses