{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7690", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-15T19:07:22.680Z", "datePublished": "2025-07-24T09:22:22.365Z", "dateUpdated": "2026-04-08T17:33:01.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:01.679Z"}, "affected": [{"vendor": "mindnl", "product": "Affiliate Plus", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Affiliate Plus <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3fc6230-043f-4079-a82a-1b5d191dbf7d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/affiliate-plus/trunk/affipsettings.php"}, {"url": "https://plugins.trac.wordpress.org/browser/affiliate-plus/trunk/affiplus.php"}, {"url": "https://wordpress.org/plugins/affiliate-plus/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-07-23T20:43:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:05:30.255300Z", "id": "CVE-2025-7690", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:05:34.655Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T13:05:30.255300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:05:32.022Z"}}], "cna": {"title": "Affiliate Plus <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mindnl", "product": "Affiliate Plus", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-23T20:43:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3fc6230-043f-4079-a82a-1b5d191dbf7d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/affiliate-plus/trunk/affipsettings.php"}, {"url": "https://plugins.trac.wordpress.org/browser/affiliate-plus/trunk/affiplus.php"}, {"url": "https://wordpress.org/plugins/affiliate-plus/"}], "descriptions": [{"lang": "en", "value": "The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:01.679Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7690", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:01.679Z", "dateReserved": "2025-07-15T19:07:22.680Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T09:22:22.365Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Affiliate Plus para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.3.2 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la p\u00e1gina 'affiplus_settings'. Esto permite que atacantes no autenticados realicen acciones no autorizadas, ya que pueden enga\u00f1ar al administrador del sitio para que haga clic en un enlace."}], "id": "CVE-2025-7690", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T10:15:28.283", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/affiliate-plus/trunk/affiplus.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/affiliate-plus/trunk/affipsettings.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/affiliate-plus/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3fc6230-043f-4079-a82a-1b5d191dbf7d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:07:30.035375+00:00", "value": {"mitigation_remediation": ["Upgrade the Affiliate Plus plugin to a version later than 1.3.2 that implements proper nonce validation.", "If upgrading is not immediately feasible, deactivate or uninstall the plugin to prevent the CSRF surface.", "Apply strict input validation and output sanitization on all forms in the plugin to mitigate potential residual weaknesses, following best practices for preventing CWE\u2011352 vulnerabilities."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery enabling unauthorized administrator actions"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Affiliate Plus plugin by mindnl, versions 1.3.2 or earlier, are affected. The vulnerability impacts all installations that include the affiplus_settings page without proper nonce checks.", "description_and_impact": "The Affiliate Plus plugin for WordPress contains a Cross\u2011Site Request Forgery vulnerability caused by missing or incorrect nonce validation on its settings page. This flaw permits an unauthenticated attacker to masquerade as an administrator by luring the admin to click a malicious link or submit a crafted request, thereby executing actions that the admin is authorized to perform. The impact manifests as unauthorized configuration changes and could expose the site to further exploitation, such as stored cross\u2011site scripting, although the vulnerability itself does not directly inject scripts.", "risk_and_exploitability": "With a CVSS score of 6.1 the flaw is considered medium severity. The EPSS score of <\u00a01% indicates that documented exploitation is unlikely, and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to trick an administrator into following a malicious link or submitting a forged request, making the attack vector largely social\u2011engineering based rather than automated."}}}}, "created": "2025-07-24T21:26:41.190276+00:00", "updated": "2026-04-20T20:15:06.220518+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}