The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Put the following payload in the “Currency Symbol” settings of the plugin and save: "> Other settings are affected (such as Minimum Payout Amount, Email Name etc)
CPE | Name | Operator | Version |
---|---|---|---|
affiliates-manager | lt | 2.9.14 |