The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Wed, 02 Apr 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Duogeek
Duogeek simple Amazon Affiliate
CPEs cpe:2.3:a:duogeek:simple_amazon_affiliate:*:*:*:*:*:wordpress:*:*
Vendors & Products Duogeek
Duogeek simple Amazon Affiliate

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 12 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Simple Amazon Affiliate <= 1.0.9 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-03-12T13:24:13.588Z

Reserved: 2025-03-06T21:38:30.605Z

Link: CVE-2025-2077

cve-icon Vulnrichment

Updated: 2025-03-12T13:23:09.310Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-12T04:15:19.000

Modified: 2025-04-02T12:44:08.040

Link: CVE-2025-2077

cve-icon Redhat

No data.