Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable WordPress plugin endpoint, no attacker auth, but victim click required; XSS in admin origin gives scope change with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.
AnalysisAI
Unauthenticated reflected/stored cross-site scripting in the Coupon Affiliates WordPress plugin (versions up to and including 7.5.3) allows remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 3.1 score of 7.1 with scope change (S:C) indicates impact beyond the vulnerable component, typical of XSS reaching the WordPress admin or affiliate context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Coupon Affiliates (formerly Woo Coupon Usage, plugin slug 'woo-coupon-usage') is a WordPress/WooCommerce plugin from RelyWP that lets store owners assign coupons to affiliates and track usage. The CPE 'cpe:2.3:a:relywp:coupon_affiliates' identifies the affected vendor and product. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin emits attacker-controlled data into HTML responses without adequate output encoding or input sanitization. The Patchstack advisory categorizes it under the woo-coupon-usage plugin database entry, indicating the flaw resides in a plugin-rendered view rendered to either affiliates or store administrators.
RemediationAI
Upgrade the Coupon Affiliates plugin to a version newer than 7.5.3 once available from the vendor; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-7-5-3-cross-site-scripting-xss-vulnerability for the fixed release. The input does not specify an exact fixed version, so released patched version not independently confirmed - verify with the plugin's WordPress.org changelog before deploying. As compensating controls while patching, deploy a Web Application Firewall (e.g., Patchstack mU plugin or Wordfence) with virtual patching rules for this CVE, enforce a strict Content-Security-Policy that disallows inline script execution on WooCommerce admin pages (side effect: may break admin features relying on inline JS), and temporarily deactivate the plugin if the affiliate functionality is not business-critical (side effect: affiliate tracking and coupon attribution will stop working).
More in Coupon Affiliates
View allSensitive data exposure in the Coupon Affiliates WordPress plugin (versions 7.8.1 and earlier) allows remote unauthentic
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36979
GHSA-gm96-jpjv-4px7