Description
Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce awin-advertiser-tracking allows Cross Site Request Forgery.This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through <= 2.0.0.
Published: 2025-05-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability exists in the Awin – Advertiser Tracking for WooCommerce plugin that allows an attacker who can trick an authenticated user into visiting a crafted URL to force the regeneration of the product feed. This action can modify data presented to customers or disrupt e‑commerce operations without the victim’s consent. The weakness is identified as CWE‑352, leading to a moderate severity rating of CVSS 4.3.

Affected Systems

The vulnerability affects the Awin – Advertiser Tracking for WooCommerce WordPress plugin with versions up to and including 2.0.0. Any WordPress site using this plugin and an affected version is potentially exposed.

Risk and Exploitability

The CVSS score of 4.3 indicates medium risk, and the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, but the nature of a CSRF flaw means that a malicious actor could exploit it by luring an authenticated administrator or staff member into clicking a malicious link or by embedding the request in a page the victim views. The attacker would need the victim to be logged in with sufficient privileges to trigger the feed regeneration endpoint.

Generated by OpenCVE AI on April 30, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Awin – Advertiser Tracking for WooCommerce plugin to the latest version (>= 2.0.1) or, if an update is unavailable, uninstall the plugin to eliminate the vulnerable endpoint.
  • If an immediate upgrade is not possible, limit access to the feed regeneration endpoint by removing the corresponding AJAX action or by adding a capability check so that only users with the 'manage_options' role can trigger it.
  • Deploy a WAF or security plugin that validates nonces for state‑changing requests, and block or rate‑limit unauthenticated or suspicious POST/GET requests to the 'admin‑ajax.php' action used for product feed regeneration.

Generated by OpenCVE AI on April 30, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13752 Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce allows Cross Site Request Forgery. This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce allows Cross Site Request Forgery. This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through 2.0.0. Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce awin-advertiser-tracking allows Cross Site Request Forgery.This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through <= 2.0.0.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00019}

 epss

{'score': 0.00022}

Mon, 12 May 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Awin
Awin awin - Advertiser Tracking For Woocommerce
CPEs cpe:2.3:a:awin:awin_-_advertiser_tracking_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Awin
Awin awin - Advertiser Tracking For Woocommerce

Thu, 08 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce allows Cross Site Request Forgery. This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through 2.0.0.
Title WordPress Awin – Advertiser Tracking for WooCommerce plugin <= 2.0.0 - CSRF to Product Feed Regeneration vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Awin Awin - Advertiser Tracking For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:47.619Z

Reserved: 2025-05-07T10:44:48.426Z

Link: CVE-2025-47633

cve-icon Vulnrichment

Updated: 2025-05-08T15:14:28.160Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:16.503

Modified: 2026-04-23T15:30:38.877

Link: CVE-2025-47633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:30:26Z

Weaknesses