CVE-2025-26957: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion (LFI) vulnerability was discovered in Deetronix Affiliate Coupons WordPress plugin, identified as CVE-2025-26957. The vulnerability affects versions through 1.7.3 of the Affiliate Coupons plugin. This security issue was disclosed on February 23, 2025, and involves improper control of filename for Include/Require statements in PHP programs (Patchstack, NVD).

The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received a CVSS v3.1 base score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires contributor-level access to exploit (NVD, Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their output on the screen. This could potentially lead to exposure of sensitive information, such as database credentials, which depending on the configuration could result in complete database takeover (Patchstack).

The vulnerability has been fixed in version 1.7.4 of the Affiliate Coupons plugin. Users are advised to update to version 1.7.4 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).