Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winking Affiliate Links Manager affiliate-links-manager allows Reflected XSS.This issue affects Affiliate Links Manager: from n/a through <= 1.0.
Published: 2025-03-03
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, permitting reflected cross‑site scripting. When a crafted query parameter is sent to the plugin, the server echoes the value directly into the generated page without proper sanitization, enabling an attacker to inject malicious JavaScript that will run in the victim's browser when the page is viewed.

Affected Systems

The affected product is the WordPress Affiliate Links Manager plugin developed by winking. All installations using version 1.0 or earlier are impacted; no specific revision numbers are listed beyond the <= 1.0 boundary.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity, while an EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not currently listed in CISA’s KEV catalog. Based on the nature of reflected XSS, the likely attack vector is an HTTP request containing a malicious query string or form input that the user is encouraged to click on, implying that the attacker needs the victim to interact with the crafted URL.

Generated by OpenCVE AI on May 2, 2026 at 08:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Affiliate Links Manager plugin to a version newer than 1.0 (or the latest release available from the developer).
  • Apply the appropriate WordPress core and plugin updates that include security patches for input handling.
  • Configure a web application firewall or input‑validation rule to block or sanitize suspicious query parameters targeting the plugin’s endpoints.

Generated by OpenCVE AI on May 2, 2026 at 08:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5591 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winking Affiliate Links Manager allows Reflected XSS. This issue affects Affiliate Links Manager: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winking Affiliate Links Manager allows Reflected XSS. This issue affects Affiliate Links Manager: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winking Affiliate Links Manager affiliate-links-manager allows Reflected XSS.This issue affects Affiliate Links Manager: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winking Affiliate Links Manager allows Reflected XSS. This issue affects Affiliate Links Manager: from n/a through 1.0.
Title WordPress Affiliate Links Manager Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.772Z

Reserved: 2025-02-21T16:45:10.727Z

Link: CVE-2025-27273

cve-icon Vulnrichment

Updated: 2025-03-03T15:51:50.780Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:58.817

Modified: 2026-06-17T09:03:19.100

Link: CVE-2025-27273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')