WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Affiliates Manager < 2.9.14 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payload in the "Currency Symbol" settings of the plugin and save: "><svg/onload=prompt(/XSS/)>

Other settings are affected (such as Minimum Payout Amount, Email Name etc)

Affects Plugins

affiliates-manager
Fixed in version 2.9.14

References

CVE
CVE-2022-2799

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Mika

Submitter

Mika

Submitter website
https://mikadmin.fr/
Submitter twitter
mika_sec
Verified

Yes

WPVDB ID
4385370e-cf99-4249-b2c1-90cbfa8378a4

Timeline

Publicly Published

2022-08-16 (about 7 months ago)

Added

2022-08-16 (about 7 months ago)

Last Updated

2022-08-16 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin