CVE-2015-20105

CRITICAL

ClickBank Affiliate Ads < 1.20 - Cross-Site Request Forgery and Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Description

The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/2bc3af7e-5542-40c4-8141-7c49e8df68f0
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/bugtraq/2015/May/45
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/131814/

Scores

CVSS v3 9.6
EPSS 0.0095
EPSS Percentile 57.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
cbads/clickbank_affiliate_ads < 1.20
Published Dec 02, 2021
Tracked Since Feb 18, 2026