CVE-2025-3598: 
WordPress vulnerability analysis and mitigation

The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-3598) discovered in April 2025. The vulnerability affects all versions up to and including 6.3.0, and is present in the commission_summary parameter. This security issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) (Wordfence).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping in the commission_summary parameter. The vulnerability has received a CVSS v3.1 score of 6.1 MEDIUM with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it requires user interaction but can be exploited remotely without authentication (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The impact includes potential disclosure of sensitive information and possible manipulation of web content presented to users (NVD).

Users should update their Coupon Affiliates – Affiliate Plugin for WooCommerce to a version newer than 6.3.0 to protect against this vulnerability. Until an update can be applied, site administrators should consider implementing additional security controls such as Web Application Firewalls (WAF) to help mitigate potential exploitation attempts (NVD).