Stored Cross-Site Scripting Vulnerability in WP Affiliate Plugin by a Major Vendor
CVE-2026-15296

6.4MEDIUM

What is CVE-2026-15296?

The WP Affiliate Plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output encoding on the 'atkp_product' shortcode. This vulnerability allows authenticated attackers with contributor-level access and above to inject malicious scripts into pages, which can execute when users visit the affected pages. The flaw poses significant risks to website integrity and user safety, emphasizing the need for prompt updates and security measures.

Affected Version(s)

affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display 0 <= 3.7.0

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Thaleikis
.