Stored XSS Vulnerability in AffiliateWP Plugin by Syed Balkhi
CVE-2025-53460

5.9MEDIUM

Key Information:

Vendor: WordPress
Status: AffiliateWP – External Referral Links
Vendor: CVE Published:; 22 September 2025

What is CVE-2025-53460?

A stored cross-site scripting (XSS) vulnerability has been identified in the AffiliateWP – External Referral Links plugin developed by Syed Balkhi. This issue arises from improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that can be executed whenever a user accesses affected instances of the application. This vulnerability impacts versions from n/a up to and including 1.2.0, potentially compromising the security of web applications utilizing this plugin and leading to unauthorized access, data theft, or the spread of malware.

Affected Version(s)

AffiliateWP – External Referral Links <= 1.2.0

References

https://patchstack.com/database/wordpress/plugin/affiliat...

vdb-entry

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
Jun 30, 2025

Credit

Nabil Irawan (Patchstack Alliance)

JSON