Unprotected URL Injection Vulnerability in Amazon Associates Affiliate Plugin
CVE-2024-9349

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Auto Amazon Links
Vendor: CVE Published:; 4 October 2024

What is CVE-2024-9349?

The Auto Amazon Links – Amazon Associates Affiliate Plugin for WordPress has a vulnerability that exposes it to reflected cross-site scripting due to improper escaping of URLs when using the add_query_arg function. This flaw exists in all versions up to and including 5.4.2, enabling potential attackers to inject malicious web scripts into web pages. If a user is tricked into clicking a link that exploits this vulnerability, the injected scripts may execute in their browser, compromising the integrity of the user's session and potentially leading to unauthorized actions on behalf of the user.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/amazon-auto-li...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 4, 2024

Wordpress

What is CVE-2024-9349?

References

CVSS V3.1

Timeline