WordPress Plugin Vulnerabilities

ClickBank Affiliate Ads < 1.35 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
clickbank-ads-clickbank-widget
Fixed in 1.35

References

CVE
CVE-2015-20105
Exploitdb
36959
URL
https://packetstormsecurity.com/files/#131814/
URL
https://seclists.org/bugtraq/2015/May/45

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Kaustubh G. Padwad
Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
2bc3af7e-5542-40c4-8141-7c49e8df68f0

Timeline

Publicly Published
2015-05-06 (about 10 years ago)
Added
2015-05-06 (about 10 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2024-06-27
Title
Scylla lite <= 1.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode
Published
2025-10-16
Title
TheGem Theme Elements (for WPBakery) < 5.10.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-31
Title
Content Blocks (Custom Post Widget) < 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via content_block Shortcode
Published
2025-04-01
Title
ABC Notation <= 6.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2019-05-15
Title
WP Live Chat Support < 8.0.27 - Unauthenticated Stored XSS