CVE-2025-54022

Vulnerability

Overview The Coupon Affiliates plugin for WordPress (woo-coupon-usage) contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions through 6.4.0 [1]. The flaw arises because the plugin does not implement proper CSRF tokens or other validation mechanisms to distinguish between legitimate and malicious requests, allowing an attacker to trick a logged-in administrator into unknowingly executing actions [1].

Attack

Surface and Exploitation Exploitation requires user interaction: a privileged user must click a crafted link, visit a malicious page, or submit a form while authenticated to the WordPress site [1]. No special network access is needed beyond that achievable through social engineering, and the attacker does not need prior authentication. The vulnerability can be exploited remotely, making it a practical vector in mass-exploit campaigns [1].

Impact

A successful CSRF attack could force a higher-privileged user (such as a site administrator) to perform unintended actions under their current session [1]. Depending on the capabilities exposed through the plugin's functionality, this could include changing settings, modifying coupons, or other actions that compromise the affiliate management system [1].

Mitigation

The vendor has released version 6.4.1 which resolves the issue; users should update immediately [1]. For those unable to update, temporary workarounds such as employing a web application firewall or contacting a hosting provider are recommended, though patchstack notes the severity is low and exploitation is considered unlikely [1]. Auto-updates for vulnerable plugins can also be enabled for Patchstack users [1].