CVE-2022-3896 — Cross-site Scripting in WP Affiliate Platform

CWE-79 — Cross-site Scripting CWE-20 — Improper Input Validation4 documents4 sources

Severity

6.1MEDIUMNVD

CISA5.5

EPSS

3.7%

top 12.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tipsandtrickshq WP Affiliate Platform Tipsandtricks-hq WP Affiliate Platform

Timeline

PublishedNov 29

Description

The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5tipsandtrickshq/wp_affiliate_platform6.3.9

▶NVDtipsandtricks-hq/wp_affiliate_platform6.3.9

🔴Vulnerability Details

GHSA

GHSA-j6cw-2jfh-cxfg: The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and incl↗2022-11-29

▶

CVEList

WP Affiliate Platform <= 6.3.9 - Reflected Cross-Site Scripting↗2022-11-29

▶

📋Vendor Advisories

CISA

Microsoft Silverlight Information Disclosure Vulnerability↗2022-05-25

▶