How is CVE-2026-40770 exploited?

Network reachability (required): The attacker must reach the affected WordPress installation over the network; there is no local or physical access requirement. Authentication (not-required): No account or session is needed; the attack can be launched by any unauthenticated external party. Victim interaction (required): A logged-in user (typically an admin or affiliate user) must visit or interact with a crafted link or page for the injected script to execute. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

What is the impact of CVE-2026-40770?

The attacker executes arbitrary JavaScript in the victim's browser session, allowing theft of session cookies or authentication tokens. With a stolen session, the attacker can perform actions as the victim, including modifying affiliate settings or accessing restricted WordPress admin functions. Confidential data visible to the victim in the current browser context, such as affiliate earnings and referral records, is exposed to the attacker. The injected script can alter page content delivered to the victim, defacing the user interface or redirecting the victim to a malicious site.

Back to search

HIGHCVE-2026-40770Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-40770: WordPress Coupon Affiliates plugin <= 7.5.3 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-40770?

Reflected or stored cross-site scripting (XSS) in the WordPress Coupon Affiliates plugin (versions 7.5.3 and earlier) allows an unauthenticated remote attacker to inject malicious scripts into pages served to other users. The vulnerability is reachable over the network, requires no authentication, and is triggered when a victim visits or interacts with a crafted URL or page. Successful exploitation lets the attacker execute arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, or unauthorized actions taken on behalf of the victim. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-40770 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released by the vendor. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be opened automatically once an upstream patch is available.

Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected or stored cross-site scripting (XSS) in the WordPress Coupon Affiliates plugin (versions 7.5.3 and earlier) allows an unauthenticated remote attacker to inject malicious scripts into pages served to other users. The vulnerability is reachable over the network, requires no authentication, and is triggered when a victim visits or interacts with a crafted URL or page. Successful exploitation lets the attacker execute arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, or unauthorized actions taken on behalf of the victim. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-40770 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Coupon Affiliates plugin.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.1 (HIGH), weighted against each customer organization's compliance policy to determine priority and routing. Findings are delivered to the appropriate team inbox within the customer's HarborGuard organization based on configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released by the vendor. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be opened automatically once an upstream patch is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected WordPress installation over the network; there is no local or physical access requirement.
AuthenticationNot required
No account or session is needed; the attack can be launched by any unauthenticated external party.
Victim interactionRequired
A logged-in user (typically an admin or affiliate user) must visit or interact with a crafted link or page for the injected script to execute.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

The attacker executes arbitrary JavaScript in the victim's browser session, allowing theft of session cookies or authentication tokens.
With a stolen session, the attacker can perform actions as the victim, including modifying affiliate settings or accessing restricted WordPress admin functions.
Confidential data visible to the victim in the current browser context, such as affiliate earnings and referral records, is exposed to the attacker.
The injected script can alter page content delivered to the victim, defacing the user interface or redirecting the victim to a malicious site.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all customer images containing the Coupon Affiliates plugin on every scan cycle. Because no upstream fix has been published as of the CVE publication date, HarborGuard monitors the Patchstack advisory and the WordPress plugin repository on every ingest cycle. When a patched version is released, a rebuilt image at that version becomes available immediately. For customers with auto-remediation enabled, a regression test run and a PR against affected workloads will be opened automatically at that point. In the interim, compensating controls worth evaluating include network-policy rules that restrict who can send requests to the affected WordPress installation, web application firewall rules targeting the vulnerable input vectors, and disabling the Coupon Affiliates plugin until a fix is available if the feature is not operationally critical.

See how HarborGuard automates this

Affected packages

RelyWP / Coupon Affiliates
≤ 7.5.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified