CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-32642

CVSS 10.0v3.1pub. 2025-04-09upd. 2026-04-23

Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This issue affects Vite Coupon: from n/a through <= 1.0.9.

🤖 AI Analysis
How it works

An attacker can trick an authenticated WordPress site administrator into visiting a crafted page or clicking a malicious link, which will trigger an unauthorized HTTP request on their behalf (CSRF). The lack of proper CSRF token verification at critical endpoints in the Vite Coupon plugin allows remote code inclusion and execution on the server. The attack requires no authorization on the attacker's side or interaction other than convincing the victim to perform a single action in the browser.

Impact

A successful attack leads to complete server takeover — the attacker can execute arbitrary code, access sensitive data, modify website content, and compromise the integrity and availability of the entire system.

Mitigation & patch

Update the Vite Coupon plugin immediately to a version higher than 1.0.9. If an update is not yet available, disable and remove the plugin immediately. Details regarding the patch are available in the vendor's references and in the Patchstack database.

Who is affected

WordPress plugin Vite Coupon (appsbd) in versions from the beginning up to and including 1.0.9.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References