WordPress Plugin Vulnerabilities

WP Affiliate Platform < 6.4.0 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-affiliate-platform
Fixed in 6.4.0

References

CVE
CVE-2022-3897

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
8f09dc0a-4d5a-48e0-a12c-fcea79b9364e

Timeline

Publicly Published
2022-11-14 (about 3 years ago)
Added
2022-11-14 (about 3 years ago)
Last Updated
2022-11-14 (about 3 years ago)

Other

Published
Title
Published
2015-10-27
Title
NextGEN Gallery < 2.1.10 - Multiple XSS
Published
2022-05-16
Title
Photo Gallery < 1.6.4 - Admin+ Stored Cross-Site Scripting
Published
2025-04-17
Title
Payment Form for PayPal Pro < 1.1.73 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2020-07-08
Title
Mailster Gravity Forms < 2.4.9 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2025-08-01
Title
Medical Addon for Elementor < 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget