An attacker can exploit a reflected Cross‑Site Scripting flaw in the Overstock Affiliate Links plugin. The vulnerability originates from the use of the $_SERVER['PHP_SELF'] variable without proper sanitization or escaping. Because the data is reflected back in an HTML context, any string supplied in the URL can become executable JavaScript during page rendering. Attackers can therefore embed malicious scripts that run in the context of any user who visits the crafted link, potentially stealing session cookies, credentials, or performing actions on behalf of the victim.

The affected software is the Overstock Affiliate Links plugin for WordPress, distributed by travishoki. All releases with a version number up to and including 1.1 are vulnerable. WordPress users who are still operating the plugin at these versions are at risk. No earlier release is listed as a fix; users should upgrade once a patched release becomes available.

The CVSS score of 6.1 indicates medium severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the broader community, and the vulnerability is not currently listed in CISA's KEV catalog. Nonetheless, the flaw is exploitable by unauthenticated actors who can simply craft a malicious URL that browsers will interpret as a script. An attacker only needs to lure a user (e.g., through phishing or social engineering) to click on a link; no administrator credentials or special configuration are required. If successful, the injected script executes with the privileges of the visiting user, enabling data theft or other malicious actions.