ClickBank Affiliate Ads <= 1.20 - CSRF to Stored Cross-Site Scripting
CVE-2015-20105

9.6CRITICAL

Key Information:

Vendor
Wordpress
Status
Clickbank Affiliate Ads
Vendor
CVE Published:
2 December 2021

Summary

The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues

Affected Version(s)

ClickBank Affiliate Ads 1.20

References

https://wpscan.com/vulnerability/2bc3af7e-5542-40c4-8141-...
x_refsource_MISC
https://seclists.org/bugtraq/2015/May/45
x_refsource_MISC
https://packetstormsecurity.com/files/131814/
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kaustubh G. Padwad
.