Elliot Sowersby CVE-2025-54022
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates woo-coupon-usage allows Cross Site Request Forgery.This issue affects Coupon Affiliates: from n/a through <= 6.4.0.
AnalysisAI
Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).
Technical ContextAI
The vulnerability is a CSRF weakness (CWE-352) in the woo-coupon-usage WordPress plugin, which integrates WooCommerce coupon functionality with affiliate tracking. CSRF attacks exploit the trust a web application places in authenticated user sessions; when an attacker crafts a malicious request and tricks a logged-in admin into visiting it, the browser automatically includes session cookies, causing the application to execute the attacker's intended action. The vulnerability likely affects plugin AJAX handlers or form submissions that lack CSRF token validation (nonce verification in WordPress terminology). The affected product is identified by the CPE reference WordPress plugin 'Coupon Affiliates' (woo-coupon-usage) versions up to and including 6.4.0.
Affected ProductsAI
RelyWP Coupon Affiliates plugin for WordPress (woo-coupon-usage), all versions from initial release through version 6.4.0. The plugin is available on the WordPress plugin repository and is identified in vulnerability databases as 'Coupon Affiliates' or 'woo-coupon-usage'.
RemediationAI
Update the RelyWP Coupon Affiliates plugin to version 6.4.1 or later, which includes CSRF token (nonce) validation fixes. WordPress administrators should navigate to Plugins > Installed Plugins, locate 'Coupon Affiliates', and click 'Update Now' if a newer version is available. For immediate interim mitigation prior to patching, restrict WordPress admin access to known IP ranges via .htaccess or firewall rules, and educate administrators about not clicking suspicious links while logged into the WordPress dashboard. Refer to the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-6-4-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for detailed patch notes and advisory information.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today