The vulnerability CVE-2025-46506 in the Lora77 WpZon – Amazon Affiliate Plugin (versions <= 1.3) is a Cross-Site Request Forgery (CSRF) issue that also involves reflected XSS. This allows an attacker to trick a user into executing unwanted actions on a web application in which they are authenticated, potentially leading to partial compromise of data confidentiality, integrity, and availability. The CVSS 3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed. The vulnerability affects all versions up to 1.3, but no patch or fix information is currently available.

Successful exploitation of this vulnerability can allow attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to partial loss of confidentiality, integrity, and availability of the affected system. The reflected XSS component may facilitate further attacks such as session hijacking or phishing. However, there are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the vulnerable plugin to mitigate risk. Monitor vendor channels for updates regarding patches or official mitigations.