CVE-2022-3897

CWE-79 — Cross-site Scripting (XSS)CWE-3994 documents4 sources

Severity

4.8MEDIUM

EPSS

0.3%

top 46.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tipsandtrickshq WP Affiliate Platform Tipsandtricks-hq WP Affiliate Platform

Timeline

PublishedNov 29

Description

The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5tipsandtrickshq/wp_affiliate_platform6.3.9

▶NVDtipsandtricks-hq/wp_affiliate_platform6.3.9

🔴Vulnerability Details

GHSA

GHSA-3r9p-3jq5-46qv: The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6↗2022-11-29

▶

CVEList

WP Affiliate Platform <= 6.3.9 - Authenticated (Administrator+) Stored Cross-Site Scripting↗2022-11-29

▶

📋Vendor Advisories

CISA

Microsoft Internet Explorer Use-After-Free Vulnerability↗2022-03-03

▶