Skip to main content

Coupon Affiliates CVE-2026-40770

| EUVDEUVD-2026-36979 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-gm96-jpjv-4px7
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress plugin endpoint, no attacker auth, but victim click required; XSS in admin origin gives scope change with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:11 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the Coupon Affiliates WordPress plugin (versions up to and including 7.5.3) allows remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 3.1 score of 7.1 with scope change (S:C) indicates impact beyond the vulnerable component, typical of XSS reaching the WordPress admin or affiliate context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Coupon Affiliates (formerly Woo Coupon Usage, plugin slug 'woo-coupon-usage') is a WordPress/WooCommerce plugin from RelyWP that lets store owners assign coupons to affiliates and track usage. The CPE 'cpe:2.3:a:relywp:coupon_affiliates' identifies the affected vendor and product. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin emits attacker-controlled data into HTML responses without adequate output encoding or input sanitization. The Patchstack advisory categorizes it under the woo-coupon-usage plugin database entry, indicating the flaw resides in a plugin-rendered view rendered to either affiliates or store administrators.

RemediationAI

Upgrade the Coupon Affiliates plugin to a version newer than 7.5.3 once available from the vendor; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-7-5-3-cross-site-scripting-xss-vulnerability for the fixed release. The input does not specify an exact fixed version, so released patched version not independently confirmed - verify with the plugin's WordPress.org changelog before deploying. As compensating controls while patching, deploy a Web Application Firewall (e.g., Patchstack mU plugin or Wordfence) with virtual patching rules for this CVE, enforce a strict Content-Security-Policy that disallows inline script execution on WooCommerce admin pages (side effect: may break admin features relying on inline JS), and temporarily deactivate the plugin if the affiliate functionality is not business-critical (side effect: affiliate tracking and coupon attribution will stop working).

Share

CVE-2026-40770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy