{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3598", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-14T15:00:30.555Z", "datePublished": "2025-04-18T05:22:59.653Z", "dateUpdated": "2026-04-08T16:44:11.694Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:11.694Z"}, "affected": [{"vendor": "elliotvs", "product": "Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce <= 6.3.0 - Reflected Cross-Site Scripting via 'commission_summary' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d6cf33c-ac40-4892-9345-64ebe61e6be6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-coupon-usage/tags/6.2.2/inc/functions/functions-all-time.php#L245"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-04-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-04-17T16:23:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-18T11:47:42.126241Z", "id": "CVE-2025-3598", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T12:00:53.188Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3598", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-18T11:47:42.126241Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T11:47:46.993Z"}}], "cna": {"title": "Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce <= 6.3.0 - Reflected Cross-Site Scripting via 'commission_summary' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "elliotvs", "product": "Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-04-17T16:23:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d6cf33c-ac40-4892-9345-64ebe61e6be6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-coupon-usage/tags/6.2.2/inc/functions/functions-all-time.php#L245"}], "descriptions": [{"lang": "en", "value": "The Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:11.694Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3598", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:11.694Z", "dateReserved": "2025-04-14T15:00:30.555Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-18T05:22:59.653Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce para WordPress es vulnerable a ataques de Cross-Site Scripting Reflejado a trav\u00e9s del par\u00e1metro commission_summary en todas las versiones hasta la 6.3.0 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-3598", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-18T06:15:44.987", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-coupon-usage/tags/6.2.2/inc/functions/functions-all-time.php#L245"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d6cf33c-ac40-4892-9345-64ebe61e6be6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:31:35.656425+00:00", "value": {"mitigation_remediation": ["Update Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce to version 6.3.1 or later to remove the vulnerable parameter handling code.", "If an immediate update is unavailable, configure a web\u2011application firewall or rewrite rules to strip or escape the commission_summary parameter before it reaches the plugin script. This mitigates the XSS risk by preventing execution of injected code.", "Implement ongoing monitoring for anomalous user activity or unexpected script executions on WordPress front\u2011end pages, and investigate any suspicious requests containing the commission_summary parameter."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce version 6.3.0 or earlier are affected. The vulnerability applies to all releases up to and including 6.3.0, regardless of custom configuration or usage of the commission_summary parameter.", "description_and_impact": "The Coupon Affiliates \u2013 Affiliate Plugin for WooCommerce is vulnerable to reflected cross\u2011site scripting through the commission_summary parameter. Insufficient input sanitization and output escaping allow an unauthenticated attacker to inject arbitrary JavaScript that executes when a victim follows a crafted link. If the victim performs the expected action, the injected script can steal session cookies, deface content, or obtain sensitive data. The flaw relies solely on user interaction and does not require prior authentication or privileged access.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.1, indicating a moderate severity. Its EPSS score is reported as less than 1\u202f%, suggesting a low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack vector involves an attacker delivering a malicious URL that contains a crafted commission_summary value, which a victim is then lured to click. Successful exploitation requires only that a user visit the URL; no authentication or additional system compromise is needed."}}}}, "created": "2026-04-22T17:45:22.917887+00:00", "updated": "2026-04-22T17:45:22.917905+00:00", "vendors": []}