Exploitation Summary
CVE-2021-25078 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.
Nuclei Templates (1)
Affiliates Manager < 2.9.0 - Cross Site Scripting
MEDIUMVERIFIEDby r3Y3r53
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2648196
Scores
CVSS v3
6.1
EPSS
0.0229
EPSS Percentile
80.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
wpaffiliatemanager/affiliates_manager
< 2.9.0
Published
Jan 24, 2022
Tracked Since
Feb 18, 2026