What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce awin-advertiser-tracking allows Cross Site Request Forgery.This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through <= 2.0.0.
Explanation of Vulnerability in Simple Terms
02Summary
The Awin Advertiser Tracking for WooCommerce plugin through version 2.0.0 is vulnerable to cross-site request forgery (CSRF). An attacker can craft a malicious link or webpage that, when visited by a logged-in site administrator, performs unwanted actions on the site without the administrator's knowledge or consent. This could allow unauthorized changes to plugin settings or affiliate tracking configuration.
What an attacker can do
03Attacker Capabilities
Trick a site admin into visiting a malicious page that performs unwanted actions on the site.
Potential impact on your site
04Site Impact
Unauthorized changes to affiliate tracking settings or plugin configuration if an admin visits a malicious link.
Conditions required to exploit
05Prerequisites
Admin must visit attacker-controlled page while logged into WordPress.
Key dates
06Disclosure timeline
May 7, 2025
CVE published
May 12, 2026
Record updated