WordPress Plugin Vulnerabilities

Awin Data Feed < 1.8 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings

Proof of Concept

Affects Plugins

Plugin icon
awin-data-feed
Fixed in 1.8

References

CVE
CVE-2022-1938

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
70aed824-c53e-4672-84c9-039dc34ed5fa

Timeline

Publicly Published
2022-06-16 (about 3 years ago)
Added
2022-06-16 (about 3 years ago)
Last Updated
2023-03-20 (about 2 years ago)

Other

Published
Title
Published
2025-09-16
Title
Media Player Addons for Elementor < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Fields
Published
2024-07-01
Title
Ultimate Blocks – WordPress Blocks Plugin < 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title tag attribute
Published
2021-10-04
Title
Coming Soon, Under Construction & Maintenance Mode By Dazzler < 1.6.7 - Admin+ Stored Cross-Site Scripting
Published
2025-06-13
Title
Simply Schedule Appointments < 1.6.8.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
Published
2025-03-27
Title
Off-Canvas Sidebars & Menus (Slidebars) < 0.5.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting