CVE-2026-25024
Unknown Unknown - Not Provided
CSRF Vulnerability in ThirstyAffiliates Plugin Allows Unauthorized Actions

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Patchstack

Description
Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery.This issue affects ThirstyAffiliates: from n/a through <= 3.11.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25024
EUVD
EUVD-2026-5308
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
blair_williams thirstyaffiliates to 3.11.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25024 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress ThirstyAffiliates Plugin versions up to and including 3.11.9.

This vulnerability allows a malicious actor to trick higher privileged users into executing unwanted actions while authenticated, by having them click a malicious link, visit a crafted page, or submit a form.

The issue requires user interaction and does not affect unauthenticated users directly.

It is classified under OWASP Top 10 A1: Broken Access Control with a CVSS score of 5.4, indicating low severity and low priority.

Mitigation Strategies

The immediate and recommended mitigation step is to update the ThirstyAffiliates plugin to version 3.11.10 or later, where this vulnerability has been fixed.

Additionally, consider applying automated updates or rapid mitigation tools provided by Patchstack to ensure your system remains protected.

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform unauthorized actions on your behalf if you are a higher privileged user and interact with a malicious link, page, or form.

Such actions could lead to unintended changes or operations within the ThirstyAffiliates plugin while you are authenticated.

However, the vulnerability requires user interaction and does not affect unauthenticated users directly, and it is considered low severity.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a Cross Site Request Forgery (CSRF) issue affecting authenticated users of the ThirstyAffiliates WordPress plugin up to version 3.11.9. Detection involves verifying the plugin version installed on your WordPress site.'}, {'type': 'paragraph', 'content': 'You can detect if your system is vulnerable by checking the installed version of the ThirstyAffiliates plugin. For example, you can use the following command in the WordPress installation directory to check the plugin version:'}, {'type': 'list_item', 'content': "grep 'Version:' wp-content/plugins/thirstyaffiliates/thirstyaffiliates.php"}, {'type': 'paragraph', 'content': 'If the version is less than or equal to 3.11.9, your system is vulnerable to this CSRF issue.'}] [1]

Compliance Impact

The provided information does not specify any direct impact of this Cross-Site Request Forgery (CSRF) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25024. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart