QID 150573

Date Published: 2022-09-26

QID 150573: WordPress Affiliates Manager Plugin: Multiple Vulnerabilities (CVE-2022-2798,CVE-2022-2799)

The WP Affiliate Manager plugin is a WordPress plugin. It facilitates the affiliates recruitment, registration, login, management process.

Affiliate Manager plugin contains multiple vulnerabilities:
CVE-2022-2799 : The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-2798: The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data.

Affected Versions:
The WP Affiliate Manager WordPress plugin before 2.9.14.

QID Detection Logic:
This QID sends a HTTP GET request and checks for vulnerable version of WordPress plugin running on the target application.

Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or to perform CSV injection attacks against an admin exporting the data.

  • CVSS V3 rated as High - 8 severity.
  • CVSS V2 rated as High - 6.4 severity.
    • Solution
    Customers are advised to upgrade to WP Affiliate Manager plugin 2.9.14 or later version to remediate this vulnerability.
    For more information regarding this vulnerability please refer WPScan Advisory (CVE-2022-2799) and WPScan Advisory (CVE-2022-2798).
    Vendor References

    CVEs related to QID 150573

    CVE-2022-2798 | CVE-2022-2799 |
    Software Advisories
    Advisory ID Software Component Link
    WPScan URL Logo wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd
    WPScan URL Logo wpscan.com/vulnerability/4385370e-cf99-4249-b2c1-90cbfa8378a4
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].