Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add & Replace Affiliate Links for Amazon add-replace-affiliate-links-for-amazon allows Stored XSS.This issue affects Add & Replace Affiliate Links for Amazon: from n/a through <= 1.0.6.
Published: 2025-06-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in the Add & Replace Affiliate Links for Amazon plugin allows attackers to inject malicious scripts that are stored by the system and later executed when a page is rendered. The weakness, identified as CWE‑79, means that any user who visits the affected page will receive and run the injected code in the context of their browser, potentially allowing the attacker to alter the displayed content or to hijack browser behavior.

Affected Systems

The vulnerability affects the WordPress plugin Add & Replace Affiliate Links for Amazon released by The Website Flip, versions up to and including 1.0.6.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of < 1% signals a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must be able to submit data through the plugin’s interface—likely requiring an account with permission to modify plugin settings—to store malicious payloads. Once stored, the payload will affect every visitor rendering the compromised content.

Generated by OpenCVE AI on May 1, 2026 at 07:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Add & Replace Affiliate Links for Amazon plugin to a version newer than 1.0.6.
  • If a newer version is not available, uninstall or disable the plugin to eliminate the attack surface.
  • Restrict access to the plugin’s configuration and content entry to administrators only, preventing ordinary users from submitting potentially dangerous input.
  • Consider applying a web application firewall rule that blocks common XSS payloads targeting the plugin’s input fields.

Generated by OpenCVE AI on May 1, 2026 at 07:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19361 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add &amp; Replace Affiliate Links for Amazon allows Stored XSS. This issue affects Add &amp; Replace Affiliate Links for Amazon: from n/a through 1.0.6.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add &amp; Replace Affiliate Links for Amazon add-replace-affiliate-links-for-amazon allows Stored XSS.This issue affects Add &amp; Replace Affiliate Links for Amazon: from n/a through <= 1.0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add & Replace Affiliate Links for Amazon add-replace-affiliate-links-for-amazon allows Stored XSS.This issue affects Add & Replace Affiliate Links for Amazon: from n/a through <= 1.0.6.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add &amp; Replace Affiliate Links for Amazon allows Stored XSS. This issue affects Add &amp; Replace Affiliate Links for Amazon: from n/a through 1.0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add &amp; Replace Affiliate Links for Amazon add-replace-affiliate-links-for-amazon allows Stored XSS.This issue affects Add &amp; Replace Affiliate Links for Amazon: from n/a through <= 1.0.6.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add &amp; Replace Affiliate Links for Amazon allows Stored XSS. This issue affects Add &amp; Replace Affiliate Links for Amazon: from n/a through 1.0.6.
Title WordPress Add & Replace Affiliate Links for Amazon plugin <= 1.0.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:22.740Z

Reserved: 2025-06-27T11:58:53.299Z

Link: CVE-2025-53285

cve-icon Vulnrichment

Updated: 2025-06-27T13:48:26.117Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:50.070

Modified: 2026-04-28T19:33:35.610

Link: CVE-2025-53285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:15:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')