CVE-2024-5280

CWE-352Cross-Site Request Forgery (CSRF)CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
4.7MEDIUM
EPSS
0.2%
top 56.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Wp-affiliate-platformTipsandtricks-hq WP Affiliate Platform
Timeline
PublishedJul 13

Description

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make non-logged in users execute an XSS payload via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-7pxg-99jf-7vvf: The wp-affiliate-platform WordPress plugin before 62024-07-13
CVEList
WP Affiliate Platform < 6.5.1 - POST Reflected XSS2024-07-13
CVE-2024-5280 (MEDIUM CVSS 4.7) | The wp-affiliate-platform WordPress | cvebase.io