CVE-2021-25078

Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting

EPSS 2.3%CWE-79

Vexday Risk Score

18Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 2.3%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

24 Jan 2022Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

Affected products

Unknown · Affiliates Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2648196 https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e