Description
Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw present in versions of the WordPress Coupon Affiliates plugin up to 7.5.3. It permits an attacker to inject arbitrary JavaScript that executes in the browser of any visitor who accesses the vulnerable functionality. This could let an attacker manipulate the page content, intercept input, or perform other actions within the context of the site. The weakness is a classic input validation failure (CWE‑79).

Affected Systems

WordPress sites that have the RelyWP Coupon Affiliates plugin installed, versions 7.5.3 or earlier. The flaw affects all installations regardless of user role or authentication status, as the vulnerable input can be accessed from publicly reachable URLs.

Risk and Exploitability

CVSS base score of 7.1 denotes high severity. EPSS is less than 1%, so the probability of exploitation in the wild is currently low, and it is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated attacker sending a crafted request or link that triggers the plugin to echo unsanitized data to the browser. The attacker does not need elevated privileges or prior access; visiting a malicious link or injecting content via the plugin’s public interfaces suffices. Although the exploitation window may be limited, the potential impact remains significant if an attacker can target high‑traffic sites.

Generated by OpenCVE AI on June 16, 2026 at 21:50 UTC.

Remediation

Vendor Solution

Update the WordPress Coupon Affiliates Plugin to the latest available version (at least 7.6.0).

OpenCVE Recommended Actions

  • Upgrade the Coupon Affiliates plugin to version 7.6.0 or later.
  • If an upgrade cannot be performed, disable or uninstall the plugin until the update is available.
  • Implement a web application firewall rule or Content Security Policy that blocks unexpected script execution to mitigate XSS until the patch is applied.

Generated by OpenCVE AI on June 16, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Relywp
Relywp coupon Affiliates
Wordpress
Wordpress wordpress
Vendors & Products Relywp
Relywp coupon Affiliates
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.
Title WordPress Coupon Affiliates plugin <= 7.5.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Relywp Coupon Affiliates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:11:20.769Z

Reserved: 2026-04-15T09:20:36.793Z

Link: CVE-2026-40770

cve-icon Vulnrichment

Updated: 2026-06-16T13:29:51.880Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:49.597

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')