The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. The Cross-Site Scripting was patched in version 5.16.7.1, while the arbitrary shortcode execution was patched in 5.16.7.2.
History

Mon, 16 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 13 Dec 2024 08:45:00 +0000

Type Values Removed Values Added
Description The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. The Cross-Site Scripting was patched in version 5.16.7.1, while the arbitrary shortcode execution was patched in 5.16.7.2.
Title Coupon Affiliates – Affiliate Plugin for WooCommerce <= 5.16.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-12-13T08:24:49.496Z

Updated: 2024-12-16T16:41:47.531Z

Reserved: 2024-12-10T16:23:29.101Z

Link: CVE-2024-12421

cve-icon Vulnrichment

Updated: 2024-12-16T15:59:39.782Z

cve-icon NVD

Status : Received

Published: 2024-12-13T09:15:08.870

Modified: 2024-12-13T09:15:08.870

Link: CVE-2024-12421

cve-icon Redhat

No data.