CVE-2024-12421: CWE-94 Improper Control of Generation of Code ('Code Injection') in elliotvs Coupon Affiliates – Affiliate Plugin for WooCommerce
The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. The Cross-Site Scripting was patched in version 5.16.7.1, while the arbitrary shortcode execution was patched in 5.16.7.2.
AI Analysis
Technical Summary
CVE-2024-12421 is a code injection vulnerability (CWE-94) in the Coupon Affiliates – Affiliate Plugin for WooCommerce WordPress plugin. It allows unauthenticated attackers to execute arbitrary shortcodes because the plugin does not properly validate input before invoking do_shortcode. Additionally, a reflected Cross-Site Scripting vulnerability was present but fixed earlier. The shortcode execution flaw was patched in version 5.16.7.2, while the XSS was fixed in 5.16.7.1.
Potential Impact
Successful exploitation could allow an unauthenticated attacker to execute arbitrary shortcodes within the WordPress environment, potentially leading to unauthorized actions or code execution within the context of the plugin. The reflected XSS could allow attackers to execute scripts in the context of users interacting with the plugin. The impact is limited to confidentiality and integrity with no direct availability impact reported.
Mitigation Recommendations
Users should update the Coupon Affiliates – Affiliate Plugin for WooCommerce to version 5.16.7.2 or later to remediate the arbitrary shortcode execution vulnerability. The reflected XSS vulnerability was already fixed in version 5.16.7.1. No other mitigations are indicated by the vendor advisory.
CVE-2024-12421: CWE-94 Improper Control of Generation of Code ('Code Injection') in elliotvs Coupon Affiliates – Affiliate Plugin for WooCommerce
Description
The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. The Cross-Site Scripting was patched in version 5.16.7.1, while the arbitrary shortcode execution was patched in 5.16.7.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-12421 is a code injection vulnerability (CWE-94) in the Coupon Affiliates – Affiliate Plugin for WooCommerce WordPress plugin. It allows unauthenticated attackers to execute arbitrary shortcodes because the plugin does not properly validate input before invoking do_shortcode. Additionally, a reflected Cross-Site Scripting vulnerability was present but fixed earlier. The shortcode execution flaw was patched in version 5.16.7.2, while the XSS was fixed in 5.16.7.1.
Potential Impact
Successful exploitation could allow an unauthenticated attacker to execute arbitrary shortcodes within the WordPress environment, potentially leading to unauthorized actions or code execution within the context of the plugin. The reflected XSS could allow attackers to execute scripts in the context of users interacting with the plugin. The impact is limited to confidentiality and integrity with no direct availability impact reported.
Mitigation Recommendations
Users should update the Coupon Affiliates – Affiliate Plugin for WooCommerce to version 5.16.7.2 or later to remediate the arbitrary shortcode execution vulnerability. The reflected XSS vulnerability was already fixed in version 5.16.7.1. No other mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-10T16:23:29.101Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e3bb7ef31ef0b59896f
Added to database: 2/25/2026, 9:48:43 PM
Last enriched: 4/9/2026, 12:44:50 PM
Last updated: 4/12/2026, 5:57:13 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.