Vulnerability Description
The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpaffiliatemanager | Affiliates Manager | < 2.9.0 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2648196PatchThird Party Advisory
- https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6eExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2648196PatchThird Party Advisory
- https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6eExploitThird Party Advisory
FAQ
What is CVE-2021-25078?
CVE-2021-25078 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perfo...
How severe is CVE-2021-25078?
CVE-2021-25078 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25078?
Check the references section above for vendor advisories and patch information. Affected products include: Wpaffiliatemanager Affiliates Manager.