Description
The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-24
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthorized administrator actions
Action: Immediate Patch
AI Analysis

Impact

The Affiliate Plus plugin for WordPress contains a Cross‑Site Request Forgery vulnerability caused by missing or incorrect nonce validation on its settings page. This flaw permits an unauthenticated attacker to masquerade as an administrator by luring the admin to click a malicious link or submit a crafted request, thereby executing actions that the admin is authorized to perform. The impact manifests as unauthorized configuration changes and could expose the site to further exploitation, such as stored cross‑site scripting, although the vulnerability itself does not directly inject scripts.

Affected Systems

WordPress sites running the Affiliate Plus plugin by mindnl, versions 1.3.2 or earlier, are affected. The vulnerability impacts all installations that include the affiplus_settings page without proper nonce checks.

Risk and Exploitability

With a CVSS score of 6.1 the flaw is considered medium severity. The EPSS score of < 1% indicates that documented exploitation is unlikely, and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to trick an administrator into following a malicious link or submitting a forged request, making the attack vector largely social‑engineering based rather than automated.

Generated by OpenCVE AI on April 20, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Affiliate Plus plugin to a version later than 1.3.2 that implements proper nonce validation.
  • If upgrading is not immediately feasible, deactivate or uninstall the plugin to prevent the CSRF surface.
  • Apply strict input validation and output sanitization on all forms in the plugin to mitigate potential residual weaknesses, following best practices for preventing CWE‑352 vulnerabilities.

Generated by OpenCVE AI on April 20, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22491 The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 24 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
Title Affiliate Plus <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:01.679Z

Reserved: 2025-07-15T19:07:22.680Z

Link: CVE-2025-7690

cve-icon Vulnrichment

Updated: 2025-07-24T13:05:32.022Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:28.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:15:06Z

Weaknesses