CVE-2026-40770

Vulnerability

The Coupon Affiliates plugin for WordPress (versions up to and including 7.5.3) contains an unauthenticated cross-site scripting (XSS) vulnerability. The flaw arises from insufficient input sanitization and output escaping, enabling injection of arbitrary HTML and JavaScript. No authentication is required to trigger the vulnerability, though successful exploitation requires user interaction from a privileged user. [1]

Exploitation

An attacker can exploit this vulnerability without authentication by crafting a malicious payload and delivering it via a link or a crafted page. The attack requires a privileged user (e.g., an administrator) to perform an action such as clicking the malicious link, visiting a specially crafted page, or submitting a form. The lack of input validation allows the payload to be processed by the vulnerable plugin, leading to script execution in the victim's browser. [1]

Impact

Successful exploitation allows the attacker to inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) that are executed when the privileged user or any site visitor accesses the affected page. This can lead to session theft, defacement, or further compromise of the WordPress site. The vulnerability is considered moderately dangerous and is expected to be leveraged in mass-exploit campaigns. [1]

Mitigation

The vulnerability is fixed in version 7.6.0 of the Coupon Affiliates plugin. All users should update to that version or later immediately. If updating is not possible, a mitigation rule is available from Patchstack to block attacks until the update can be applied. No other workarounds are provided in the available references. [1]