WordPress Coupon Affiliates Plugin <= 5.4.5 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Coupon Affiliates – Affiliate Plugin for WooCommerce (woo-coupon-usage) plugin for WordPress, versions 5.4.5 and earlier [1]. The flaw occurs when user-supplied input is not properly sanitized before being reflected back in the response, allowing injection of arbitrary JavaScript code.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a script payload. No authentication is required; the victim only needs to visit the crafted link. For example, a URL parameter could be manipulated to include a `` tag that executes in the victim's browser context when the page is rendered.

Impact

Successful exploitation allows the attacker to perform actions in the context of the victim's session, such as stealing sensitive information (e.g., session cookies), redirecting the user to malicious sites, or performing actions on behalf of the victim within the WordPress admin interface. The attack does not require any privileged access.

Mitigation

The vulnerability has been fixed in a later version of the plugin; users should update to the latest version (7.8.1 as of writing) or at least a version newer than 5.4.5 [1]. If an immediate update is not possible, consider applying a Web Application Firewall (WAF) rule to filter malicious query strings.