CVE-2021-25078

nvd nist nuclei

Published: Jan 24, 2022Modified: Jun 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

Affected (1)

Products: Wpaffiliatemanager: Affiliates Manager

Wpaffiliatemanager

1 product

Affiliates Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpaffiliatemanager Affiliates Manager	Before 2.9.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://plugins.trac.wordpress.org/changeset/2648196

Source: contact@wpscan.com

PatchThird Party Advisory

https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e

Source: contact@wpscan.com

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2648196

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.