CVE-2025-48306

The Savyour Affiliate Partner plugin for WordPress, versions 2.1.4 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability that can lead to stored Cross-Site Scripting (XSS) [1]. The root cause is that the plugin does not properly validate or enforce CSRF tokens on certain state-changing requests made by authenticated users with elevated privileges.

Exploitation of this vulnerability does not require any authentication on the attacker's part but relies on tricking a privileged user (such as an administrator) into performing an unintended action. The attacker can craft a malicious link or page that, when visited by the target user while they are logged into the WordPress admin, causes the victim's browser to send a forged request to the plugin. Because the request originates from an authenticated session, the plugin processes it without verifying the source, potentially leading to stored XSS [1].

Successful exploitation allows an attacker to inject malicious scripts into the WordPress site's database or configuration, which will then be executed when other users access affected pages. This stored XSS can be used to steal session cookies, deface the site, or pivot to further attacks against other admin users or visitors. The CVSS score of 7.1 reflects the medium-to-high impact and the low complexity of exploitation, though user interaction from a privileged role is required [1].

As of the publication date (August 2025), a patch is not yet available; the vendor (savyour) recommends updating the plugin as soon as a fixed version is released. Users who cannot update immediately should temporarily disable the plugin or apply web application firewall rules to mitigate CSRF and XSS attacks [1]. The vulnerability has been flagged as likely used in mass-exploit campaigns, making prompt action critical [1].