This vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to trick a logged‑in user into performing unintended actions on a WordPress site. Because the plugin does not validate a unique request token, an attacker can embed the malicious request in a link or form that, when visited or submitted by the authenticated user, executes the action on the site. The effect is potential undisclosed data changes or the execution of administrative functions without the user’s consent, as described by CWE‑352.

The flaw affects the WordPress Coupon Affiliates plugin from the earliest documented release up to and including version 6.4.0, developed by Elliot Sowersby / RelyWP. Any WordPress installation that hosts this plugin and can authenticate a user capable of triggering state‑changing actions is subject to risk.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reinforcing the low likelihood of widespread attacks. Exploitation requires the victim to be logged in with sufficient privileges and visit a crafted URL or load a malicious form that submits a forged request. The absence of a CSRF token means the attack can proceed without additional credentials or user interaction beyond normal browsing.