CVE-2024-5284 — Cross-Site Request Forgery in WP Affiliate Platform

CWE-352 — Cross-Site Request Forgery CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 69.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tipsandtricks-hq WP Affiliate Platform

Timeline

PublishedJul 13

Description

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:LExploitability: 2.1 | Impact: 4.7

Affected Packages1 packages

▶NVDtipsandtricks-hq/wp_affiliate_platform< 6.5.1

🔴Vulnerability Details

GHSA

GHSA-cqmh-x8qq-7fj3: The wp-affiliate-platform WordPress plugin before 6↗2024-07-13

▶

CVEList

WP Affiliate Platform < 6.5.1 - Stored XSS via CSRF↗2024-07-13

▶