CVE-2025-7690: 
WordPress vulnerability analysis and mitigation

The Affiliate Plus plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.3.2, identified as CVE-2025-7690. The vulnerability was discovered and disclosed on July 22, 2025, affecting the plugin's 'affiplus_settings' page due to missing or incorrect nonce validation (NVD). The plugin has been temporarily closed pending a full security review (WordPress).

The vulnerability stems from improper security controls on the 'affiplus_settings' page where nonce validation is either missing or incorrectly implemented. This security weakness is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability has received a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The CSRF vulnerability allows unauthenticated attackers to perform unauthorized actions on the affected WordPress sites by tricking site administrators into clicking malicious links. This could lead to unauthorized changes in plugin settings and potential compromise of affiliate tracking functionality (NVD).

The plugin has been temporarily closed and is not available for download pending a full security review. Site administrators using the affected versions should consider disabling the plugin until a patched version is released (WordPress).