Platform
wordpress
Component
thirstyaffiliates
Fixed in
3.11.10
CVE-2026-25024 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the ThirstyAffiliates WordPress plugin. A CSRF attack allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized modifications or access. This vulnerability affects versions of ThirstyAffiliates from 0.0.0 up to and including 3.11.9. A patch is available in version 3.11.10.
The CSRF vulnerability in ThirstyAffiliates allows an attacker to execute actions on behalf of an authenticated user without their knowledge. This could involve modifying affiliate links, changing plugin settings, or even deleting data. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by a logged-in ThirstyAffiliates user, would trigger these unauthorized actions. The impact is particularly severe for administrators, as they have the highest level of privileges within the plugin. Successful exploitation could result in significant disruption to affiliate marketing campaigns and potentially compromise the integrity of the WordPress site.
CVE-2026-25024 was publicly disclosed on 2026-02-03. No public proof-of-concept (PoC) code has been released at the time of writing, but the CSRF nature of the vulnerability means exploitation is likely straightforward for attackers familiar with WordPress plugin vulnerabilities. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of CSRF attacks and the plugin's popularity. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25024 is to upgrade the ThirstyAffiliates plugin to version 3.11.10 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that users are educated about the risks of clicking on suspicious links and visiting untrusted websites. While not a direct fix, enabling WordPress's core CSRF protection can offer a layer of defense. After upgrading, verify the plugin's functionality by testing the creation and modification of affiliate links to ensure no unexpected behavior.
Update to version 3.11.10, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25024 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the ThirstyAffiliates WordPress plugin, allowing attackers to perform unauthorized actions.
Yes, if you are using ThirstyAffiliates versions 0.0.0 through 3.11.9, you are vulnerable to this CSRF attack.
Upgrade the ThirstyAffiliates plugin to version 3.11.10 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the ease of CSRF exploitation suggests a potential for attacks.
Refer to the ThirstyAffiliates plugin website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.