Description
The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Iframe Geo Style for Amazon affiliates plugin allows authenticated users with contributor or higher privileges to inject arbitrary scripts through the "adid" shortcode attribute because the input is not properly sanitized or escaped. This flaw is a classic stored XSS (CWE‑79) that executes the malicious payload whenever a page containing the injected shortcode is viewed by any user, potentially compromising user sessions, defacing content, or facilitating further attacks.

Affected Systems

All installations of the ektorcaba WP Iframe Geo Style for Amazon affiliates plugin up to and including version 1.1 are affected. Sites running WordPress with this plugin and having users with contributor or higher roles may be vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability. With contributor‑level access required, attackers can exploit the flaw by creating or editing content that includes the malformed "adid" attribute. An EPSS score is not available, and the vulnerability is not currently listed in CISA KEV. Without an official patch, the risk remains until the plugin developer releases a fix or site administrators take mitigations.

Generated by OpenCVE AI on May 27, 2026 at 07:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Iframe Geo Style for Amazon affiliates plugin to the latest version if an update that addresses the issue is available; if no fix exists, uninstall the plugin and seek an alternative solution.
  • Limit the use of this shortcode for users with contributor or higher roles by adjusting role capabilities or configuring the plugin to block the shortcode for those users.
  • Search all stored content for occurrences of the "[iframe_geo]" shortcode with a malicious adid attribute and remove or sanitize any embedded script.

Generated by OpenCVE AI on May 27, 2026 at 07:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Ektorcaba
Ektorcaba wp Iframe Geo Style For Amazon Affiliates
Wordpress
Wordpress wordpress
Vendors & Products Ektorcaba
Ektorcaba wp Iframe Geo Style For Amazon Affiliates
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Iframe Geo Style for Amazon affiliates <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'adid' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ektorcaba Wp Iframe Geo Style For Amazon Affiliates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:40:29.779Z

Reserved: 2026-05-18T14:23:08.460Z

Link: CVE-2026-8837

cve-icon Vulnrichment

Updated: 2026-05-27T10:40:24.805Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:15.187

Modified: 2026-05-27T07:16:15.187

Link: CVE-2026-8837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:50Z

Weaknesses