The Coupon Affiliates – Affiliate Plugin for WooCommerce, developed by elliotvs, suffers from a code injection vulnerability classified as CWE-94, due to improper control over the generation of code via WordPress shortcodes. Specifically, the plugin fails to properly validate user-supplied input before passing it to the WordPress function do_shortcode, which processes shortcode tags embedded in content. This vulnerability allows unauthenticated attackers to craft requests that execute arbitrary shortcodes, effectively enabling remote code execution within the context of the WordPress site. Additionally, the plugin was vulnerable to reflected cross-site scripting (XSS), which could be used to steal session tokens or perform actions on behalf of users. The XSS issue was addressed in version 5.16.7.1, while the more severe arbitrary shortcode execution was fixed in version 5.16.7.2. The vulnerability affects all versions up to and including 5.16.7.1. The CVSS 3.1 base score is 6.5, reflecting network attack vector, no privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation make it a significant risk for WordPress sites using this plugin.

If exploited, this vulnerability can allow attackers to execute arbitrary shortcodes, which may lead to unauthorized code execution within the WordPress environment. This can compromise site integrity, allowing attackers to manipulate content, escalate privileges, or deploy further malicious payloads such as backdoors or malware. The reflected XSS vulnerability could enable session hijacking or phishing attacks against site administrators or users. Since no authentication is required, any remote attacker can attempt exploitation, increasing the threat surface. For organizations relying on WooCommerce and this plugin for affiliate marketing or coupon management, exploitation could result in data breaches, loss of customer trust, defacement, or disruption of e-commerce operations. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the potential impact if weaponized.

Organizations should immediately update the Coupon Affiliates – Affiliate Plugin for WooCommerce to version 5.16.7.2 or later, where both the arbitrary shortcode execution and reflected XSS vulnerabilities are patched. Until the update is applied, administrators should consider disabling the plugin or restricting access to its functionality via web application firewalls (WAF) or IP whitelisting to reduce exposure. Monitoring web server logs for suspicious requests containing shortcode payloads can help detect attempted exploitation. Employing security plugins that limit shortcode execution or sanitize inputs can add an additional layer of defense. Regularly auditing installed plugins for updates and vulnerabilities is critical. Additionally, enforcing the principle of least privilege for WordPress users and backing up site data frequently will aid in recovery if compromise occurs.