Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-25078

CWE-79 — Cross-site Scripting (XSS)6 documents6 sources

Severity

6.1MEDIUM

EPSS

6.0%

top 9.31%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Unknown Affiliates Manager Wpaffiliatemanager Affiliates Manager

Timeline

PublishedJan 24

Latest updateJan 25

Description

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/affiliates_manager2.9.0 — 2.9.0

▶NVDwpaffiliatemanager/affiliates_manager< 2.9.0

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-fm8r-hhjh-xqg8: The Affiliates Manager WordPress plugin before 2↗2022-01-25

▶

CVEList

Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting↗2022-01-24

▶

💥Exploits & PoCs

Nuclei

Affiliates Manager < 2.9.0 - Cross Site Scripting

▶