CVE-2025-54022

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Cross Site Request Forgery.This issue affects Coupon Affiliates: from n/a through <= 6.4.0.

Analysis

Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).

Technical Context

The vulnerability is a CSRF weakness (CWE-352) in the woo-coupon-usage WordPress plugin, which integrates WooCommerce coupon functionality with affiliate tracking. CSRF attacks exploit the trust a web application places in authenticated user sessions; when an attacker crafts a malicious request and tricks a logged-in admin into visiting it, the browser automatically includes session cookies, causing the application to execute the attacker's intended action. The vulnerability likely affects plugin AJAX handlers or form submissions that lack CSRF token validation (nonce verification in WordPress terminology). The affected product is identified by the CPE reference WordPress plugin 'Coupon Affiliates' (woo-coupon-usage) versions up to and including 6.4.0.

Affected Products

RelyWP Coupon Affiliates plugin for WordPress (woo-coupon-usage), all versions from initial release through version 6.4.0. The plugin is available on the WordPress plugin repository and is identified in vulnerability databases as 'Coupon Affiliates' or 'woo-coupon-usage'.

Remediation

Update the RelyWP Coupon Affiliates plugin to version 6.4.1 or later, which includes CSRF token (nonce) validation fixes. WordPress administrators should navigate to Plugins > Installed Plugins, locate 'Coupon Affiliates', and click 'Update Now' if a newer version is available. For immediate interim mitigation prior to patching, restrict WordPress admin access to known IP ranges via .htaccess or firewall rules, and educate administrators about not clicking suspicious links while logged into the WordPress dashboard. Refer to the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-6-4-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for detailed patch notes and advisory information.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-54022 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy