WordPress Plugin Vulnerabilities

affiliate-toolkit – WordPress Affiliate < 3.3.4 - Editor+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
affiliate-toolkit-starter
Fixed in 3.3.4

References

CVE
CVE-2023-23786

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
600aaaf7-b971-4559-9d1d-c6a0a484250e

Timeline

Publicly Published
2023-03-30 (about 3 years ago)
Added
2023-05-10 (about 3 years ago)
Last Updated
2023-05-10 (about 3 years ago)

Other

Published
Title
Published
2025-01-06
Title
WP jQuery DataTable < 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-21
Title
Simple Business Data <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-25
Title
iFolders < 1.5.1 - Admin+ XSS
Published
2023-10-16
Title
Minimum Purchase for WooCommerce <= 2.0.0.1 - Contributor+ Stored XSS
Published
2024-05-10
Title
If-So Dynamic Content Personalization < 1.8.0.3 - Contributor+ Shortcode Stored XSS