WordPress Plugin Vulnerabilities

Auto Amazon Links < 5.3.2 - Contributor+ Stored XSS

Description

The plugin does not sanitize and escape some of its settings, which could allow contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Affects Plugins

Plugin icon
amazon-auto-links
Fixed in 5.3.2

References

CVE
CVE-2023-4482

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
1c57fe04-ff10-4ef9-afdf-fd998e70cc32

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-10-20 (about 2 years ago)
Last Updated
2023-10-20 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
OpenCart Product Display <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-22
Title
AuthorSure <= 2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-12-11
Title
Smaily for WP < 3.1.6 - Contributor+ Stored XSS
Published
2025-12-16
Title
HTML Forms – Simple WordPress Forms Plugin < 1.6.1 - Unauthenticated Stored Cross-Site Scripting
Published
2024-06-06
Title
Rife Free < 2.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting