CVE-2024-5284 WP Affiliate Platform < 6.5.1 - Stored XSS via CSRF

2024-07-1306:00:10

WPScan

github.com

cve-2024-5284

wordpress plugin

csrf attack

stored xss

sanitisation

AI Score

5.9

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:wp_affiliate_platform_project:wp_affiliate_platform:*:*:*:*:*:wordpress:*:*"
    ],
    "vendor": "wp_affiliate_platform_project",
    "product": "wp_affiliate_platform",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "6.5.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]