CVE-2021-25078

MEDIUM NUCLEI

WordPress Affiliates Manager <2.9.0 - XSS

Title source: llm

Description

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

Nuclei Templates (1)

Affiliates Manager < 2.9.0 - Cross Site Scripting

MEDIUMVERIFIEDby r3Y3r53

References (2)

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/changeset/2648196

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e

Scores

CVSS v3 6.1

EPSS 0.0600

EPSS Percentile 90.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

wpaffiliatemanager/affiliates_manager < 2.9.0

Published Jan 24, 2022

Tracked Since Feb 18, 2026