Description
Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery.This issue affects ThirstyAffiliates: from n/a through <= 3.11.9.
Published: 2026-02-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized state‑changing actions via CSRF
Action: Immediate Patch
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability exists in the Blair Williams ThirstyAffiliates WordPress plugin. The plugin fails to verify an anti‑CSRF token on requests that alter affiliate links, settings, or other management data. This weakness enables an attacker to craft a forged HTTP request that a logged‑in user will unknowingly submit, allowing the attacker to modify affiliate information or plugin configuration using the user’s privileges. Based on the description, it is inferred that the impact is confined to the user’s allowed actions, but if the targeted user holds an administrator role, the attacker may gain broader control over the site’s affiliate management functions.

Affected Systems

All WordPress sites running Blair Williams ThirstyAffiliates plugin version 3.11.9 or earlier are affected. The vulnerability applies to every installation of these releases until the plugin is upgraded beyond 3.11.9.

Risk and Exploitability

The CVSS score of 5.4 ranks this issue as medium severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need a vulnerable WordPress site and an authenticated user who could be enticed by phishing, a malicious link, or other social engineering to visit a page that triggers the state‑changing request. Once executed, the attacker can alter affiliate data without user intervention.

Generated by OpenCVE AI on April 16, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThirstyAffiliates plugin to a version newer than 3.11.9 that incorporates a proper anti‑CSRF check
  • If an upgrade is not immediately feasible, restrict the plugin’s functionality to administrator users only or disable it on sites that are not actively using affiliate management
  • Deploy a web application firewall or configure custom CSRF defenses (e.g., add unique request tokens) to protect the plugin’s state‑changing endpoints

Generated by OpenCVE AI on April 16, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery.This issue affects ThirstyAffiliates: from n/a through <= 3.11.9.
Title WordPress ThirstyAffiliates plugin <= 3.11.9 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:54.205Z

Reserved: 2026-01-28T09:51:55.183Z

Link: CVE-2026-25024

cve-icon Vulnrichment

Updated: 2026-02-03T14:43:25.345Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:20.847

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses