Affiliate Manager < 2.7.8 – Unauthenticated Stored Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The plugin does not properly validate and sanitise data passed to the affiliate-register form, allowing unauthenticated user to set XSS payloads in some of its fields. The payloads will then be triggered when privileged users, such as admin, will view the created affiliate in the backend.

Proof of Concept

As an unauthenticated user, go to the affiliate-register page (default is /affiliate-home/affiliate-register/), fill the form and put the following payload in the Last Name and City fields (others are also vulnerable): a" onfocus=alert(/XSS/) autofocus="autofocus. Then, log in as admin and view the created affiliate (ie /wp-admin/admin.php?page=wpam-affiliates&viewDetail=1) to trigger the XSS.

Affects Plugins

affiliates-manager

Fixed in 2.7.8

References

URL

https://plugins.trac.wordpress.org/changeset/2379248

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Till Oberbeckmann, Jan Kahmen

Submitter

Jan Kahmen

Submitter website

https://turingpoint.de/

Submitter twitter

Verified

Yes

WPVDB ID

7ff1e88c-64c7-4d8f-93e7-2de428a22a70

Timeline

Publicly Published

2020-09-14 (about 5 years ago)

Added

2020-09-14 (about 5 years ago)

Last Updated

2020-09-15 (about 5 years ago)

Other

Published

Title

Published

2025-04-22

Title

Post in page for Elementor < 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2017-06-22

Title

Analytics Tracker < 1.1.1 - XSS

Published

2025-08-22

Title

Statify Widget < 1.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-05-18

Title

Code Snippets < 2.14.4 - Reflected Cross-Site Scripting

Published

2023-05-09

Title

Post Snippets < 4.0.3 - Admin+ Stored XSS