Coupon Affiliates < 4.16.4.5 - Unauthenticated Stored XSS
CVE-2022-0818

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WooCommerce Affiliate Plugin – Coupon Affiliates
Vendor: CVE Published:; 28 March 2022

Summary

The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin.

Affected Version(s)

WooCommerce Affiliate Plugin – Coupon Affiliates 4.16.4.5

References

https://wpscan.com/vulnerability/c43fabb4-b388-462c-adc4-...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 28, 2022
Vulnerability Reserved
Mar 1, 2022

Credit

cydave