WordPress Plugin Vulnerabilities

Affiliate Links Lite < 2.7 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
affiliate-links
Fixed in 2.7

References

CVE
CVE-2023-22696
URL
https://patchstack.com/database/vulnerability/affiliate-links/wordpress-affiliate-links-lite-plugin-2-4-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Justiice
Verified
No
WPVDB ID
1e515283-f309-4b71-8b0e-28bb9b952260

Timeline

Publicly Published
2023-04-14 (about 3 years ago)
Added
2023-05-10 (about 3 years ago)
Last Updated
2023-12-28 (about 2 years ago)

Other

Published
Title
Published
2022-07-04
Title
Unyson < 2.7.27 - Reflected Cross-Site Scripting
Published
2023-11-07
Title
Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated Stored XSS
Published
2025-01-22
Title
Avada Builder < 3.11.12 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets
Published
2025-04-14
Title
Newsletter < 8.7.1 - Admin+ Stored XSS
Published
2015-02-22
Title
Image Metadata Cruncher - Multiple Cross-Site Scripting (XSS)