Description
The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-03-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting allowing arbitrary JavaScript execution
Action: Mitigate
AI Analysis

Impact

The vulnerability exists in the Simple Amazon Affiliate WordPress plugin for all releases 1.0.9 or earlier. The plugin takes the value of the HTTP "msg" parameter, outputs it directly into a page without any escaping or sanitization, and therefore a crafted value containing JavaScript can be reflected back to the victim’s browser. An attacker who can entice a user to visit a maliciously crafted URL can cause that user’s browser to run arbitrary scripts, potentially compromising the site’s session cookies, defacing the page, or launching secondary attacks from the victim’s session.

Affected Systems

WordPress installations that have the duogeek Simple Amazon Affiliate plugin installed in any version up to 1.0.9. Sites that have not replaced the plugin with a newer release are vulnerable. No vendor‑specific “upgrade” level is officially published, so the sole mitigation at present is to remove or neutralise the msg parameter usage or disable the plugin.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, while the EPSS score is below 1 % and the issue is not listed in CISA’s KEV catalogue, reflecting a low current exploitation probability. The flaw is exploitable by an unauthenticated attacker through a user‑initiated, link‑based attack vector; any web visitor who follows a malicious link can be compromised without further privileges.

Generated by OpenCVE AI on April 22, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement a content‑security‑policy that blocks inline scripts and restricts script sources to whitelisted origins, reducing the impact of any reflected script execution.
  • Configure a WordPress firewall plugin or modify the site’s functions to strip or encode the "msg" parameter before it is rendered, ensuring that any value passed through the URL cannot produce executable code.
  • If immediate remediation is critical, disable or remove the Simple Amazon Affiliate plugin from the site until an official fix is released; alternatively, block the "msg" parameter altogether using web‑application firewall rules.

Generated by OpenCVE AI on April 22, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7485 The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00129}

 epss

{'score': 0.00197}

Wed, 02 Apr 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Duogeek
Duogeek simple Amazon Affiliate
CPEs cpe:2.3:a:duogeek:simple_amazon_affiliate:*:*:*:*:*:wordpress:*:*
Vendors & Products Duogeek
Duogeek simple Amazon Affiliate

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Simple Amazon Affiliate <= 1.0.9 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Duogeek Simple Amazon Affiliate
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:28.132Z

Reserved: 2025-03-06T21:38:30.605Z

Link: CVE-2025-2077

cve-icon Vulnrichment

Updated: 2025-03-12T13:23:09.310Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-12T04:15:19.000

Modified: 2025-04-02T12:44:08.040

Link: CVE-2025-2077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses