Ultimate Affiliate Pro WordPress Plugin < 4.0 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters available to Affiliate, leading to Stored Cross-Site Scripting issues

Proof of Concept

As an affiliate,

Put the following payload in the Profile > Edit Account > Last Name field: jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNMouseoVer=alert(document.domain) )

Put the following payload in the Marketing > Campaigns > Add New Campaign > Name field: <svg/onload=alert(document.domain)>

Other fields may be vulnerable.

Affects Plugins

indeed-affiliate-pro

Fixed in 4.0

References

URL

https://packetstormsecurity.com/files/#143497/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

8bitsec

Submitter website

https://8bitsec.io

Submitter twitter

Verified

No

WPVDB ID

930bac8f-6905-492f-90b8-ebacb0dbc91f

Timeline

Publicly Published

2017-07-26 (about 8 years ago)

Added

2017-08-02 (about 8 years ago)

Last Updated

2022-03-04 (about 4 years ago)

Other

Published

Title

Published

2025-04-17

Title

WP Post to PDF Enhanced <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-11-06

Title

SendPress Newsletters < 1.23.11.6 - Contributor+ Stored XSS

Published

2019-09-05

Title

WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation

Published

2024-07-29

Title

Hustle < 7.8.5 - Admin+ Stored XSS

Published

2025-10-11

Title

Togo < 1.0.4 - Reflected Cross-Site Scripting