Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This issue affects Vite Coupon: from n/a through <= 1.0.9.
An attacker can trick an authenticated WordPress site administrator into visiting a crafted page or clicking a malicious link, which will trigger an unauthorized HTTP request on their behalf (CSRF). The lack of proper CSRF token verification at critical endpoints in the Vite Coupon plugin allows remote code inclusion and execution on the server. The attack requires no authorization on the attacker's side or interaction other than convincing the victim to perform a single action in the browser.
A successful attack leads to complete server takeover — the attacker can execute arbitrary code, access sensitive data, modify website content, and compromise the integrity and availability of the entire system.
Update the Vite Coupon plugin immediately to a version higher than 1.0.9. If an update is not yet available, disable and remove the plugin immediately. Details regarding the patch are available in the vendor's references and in the Patchstack database.
WordPress plugin Vite Coupon (appsbd) in versions from the beginning up to and including 1.0.9.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H