CVE-2025-26957 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-26957?

CVE-2025-26957 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to include local files on the server through the Affiliate Coupons WordPress plugin. Attackers can potentially read sensitive files or execute code by manipulating file inclusion parameters. All WordPress sites running vulnerable versions of the Affiliate Coupons plugin are affected.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through the Affiliate Coupons WordPress plugin. Attackers can potentially read sensitive files or execute code by manipulating file inclusion parameters. All WordPress sites running vulnerable versions of the Affiliate Coupons plugin are affected.

💻 Affected Systems

Products:

Deetronix Affiliate Coupons WordPress Plugin

Versions: All versions up to and including 1.7.3

Operating Systems: Any OS running PHP and WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated. PHP configuration (allow_url_include) may affect exploitability.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution within web server context.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive files and web application firewall blocks malicious requests.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal systems could be targeted through phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of PHP file inclusion vulnerabilities and ability to craft malicious requests. No authentication required based on CWE-98 classification.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.7.3 (check plugin repository for latest)

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/affiliate-coupons/vulnerability/wordpress-affiliate-coupons-plugin-1-7-3-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Affiliate Coupons' and click 'Update Now'. 4. Alternatively, download latest version from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

WordPress

Temporarily disable the Affiliate Coupons plugin until patched

wp plugin deactivate affiliate-coupons

Web Application Firewall Rule

all

Block requests containing file inclusion patterns targeting the plugin

🧯 If You Can't Patch

Remove the Affiliate Coupons plugin completely from production systems
Implement strict file permissions (chmod 600) on sensitive configuration files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Affiliate Coupons version. If version is 1.7.3 or lower, you are vulnerable.

Check Version:

wp plugin get affiliate-coupons --field=version

Verify Fix Applied:

Verify plugin version is higher than 1.7.3. Test file inclusion functionality manually if possible.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with suspicious file paths in parameters
Multiple 404 errors followed by successful file reads
PHP include/require errors in web server logs

Network Indicators:

Unusual file paths in GET/POST parameters
Requests to plugin-specific endpoints with file inclusion patterns

SIEM Query:

source="web_logs" AND (uri="*affiliate-coupons*" AND (param="*../*" OR param="*php://*" OR param="*file=*"))

📊 Metadata

CVE ID: CVE-2025-26957

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.24% exploit probability (47.2th percentile)

Published: February 25, 2025

Last Updated: February 25, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/affiliate-coupons/vulnerability/wordpress-affiliate-coupons-plugin-1-7-3-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26957, you might also want to check these: