Coupon Affiliates WooCommerce Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Coupon Affiliates – Affiliate Plugin for WooCommerce, affecting all WordPress versions through 6.3.0. The issue arises from inadequate input sanitization and output escaping in the commission_summary parameter, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts could be executed if a user is tricked into clicking a link.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

The vulnerability can be reproduced by sending a request to a page that uses the vulnerable plugin, including the commission_summary parameter with injected script content. If the injected script is executed, the vulnerability has been successfully exploited.

Remediation

Users are advised to update the Coupon Affiliates – Affiliate Plugin for WooCommerce to version 6.3.1 or later.