Description
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd
Scores
CVSS v3
8.0
EPSS
0.0094
EPSS Percentile
56.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
wpaffiliatemanager/affiliates_manager
< 2.9.14
Published
Sep 16, 2022
Tracked Since
Feb 18, 2026