Skip to main content

Elliot Sowersby CVE-2025-54022

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-07-16 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Cross Site Request Forgery.This issue affects Coupon Affiliates: from n/a through <= 6.4.0.

AnalysisAI

Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).

Technical ContextAI

The vulnerability is a CSRF weakness (CWE-352) in the woo-coupon-usage WordPress plugin, which integrates WooCommerce coupon functionality with affiliate tracking. CSRF attacks exploit the trust a web application places in authenticated user sessions; when an attacker crafts a malicious request and tricks a logged-in admin into visiting it, the browser automatically includes session cookies, causing the application to execute the attacker's intended action. The vulnerability likely affects plugin AJAX handlers or form submissions that lack CSRF token validation (nonce verification in WordPress terminology). The affected product is identified by the CPE reference WordPress plugin 'Coupon Affiliates' (woo-coupon-usage) versions up to and including 6.4.0.

Affected ProductsAI

RelyWP Coupon Affiliates plugin for WordPress (woo-coupon-usage), all versions from initial release through version 6.4.0. The plugin is available on the WordPress plugin repository and is identified in vulnerability databases as 'Coupon Affiliates' or 'woo-coupon-usage'.

RemediationAI

Update the RelyWP Coupon Affiliates plugin to version 6.4.1 or later, which includes CSRF token (nonce) validation fixes. WordPress administrators should navigate to Plugins > Installed Plugins, locate 'Coupon Affiliates', and click 'Update Now' if a newer version is available. For immediate interim mitigation prior to patching, restrict WordPress admin access to known IP ranges via .htaccess or firewall rules, and educate administrators about not clicking suspicious links while logged into the WordPress dashboard. Refer to the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-6-4-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for detailed patch notes and advisory information.

Share

CVE-2025-54022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy