Stored Cross-Site Scripting in WP Affiliate Platform Plugin by WordPress
CVE-2022-3897

5.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Affiliate Platform
Vendor: CVE Published:; 29 November 2022

Summary

The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in multiple parameters. Authenticated attackers with administrator-level access can exploit this vulnerability to inject arbitrary scripts into webpages. These scripts execute whenever a user views the compromised pages, potentially leading to unauthorized access and data theft.

Affected Version(s)

WP Affiliate Platform * <= 6.3.9

References

https://www.tipsandtricks-hq.com/wordpress-affiliate-plat...

https://www.wordfence.com/vulnerability-advisories-contin...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 29, 2022
Vulnerability Reserved
Nov 8, 2022

Credit

Marco Wotschka