CVE-2022-2799 The Affiliates Manager WordPress plugin before 2.9.14 has unsafe settings that allow attackers to do Cross-Site Scripting.

Plugin writers are encouraged to review the settings they have access to to make sure they are only accessible to the WordPress roles that they should have access to. This update also removes the unfiltered_html capability from the Affiliates Manager settings page, which is not recommended to leave enabled in production websites. In addition, the Affiliates Manager plugin before 2.9.14 does not sanitise or escape the value of the site setting, which could allow high privilege users to inject arbitrary HTML or JavaScript into the plugin’s settings page via a Cross-site scripting attack when the unfiltered_html capability is enabled.

Note: If you are currently using the Affiliates Manager plugin, please do not upgrade to version 2.9

.14 until you have updated your website to the latest version of WordPress. You can update your website by going to Settings > Plugins > Updating plugin and checking for updates.

How to Outsource SEO Correctly & Avoid the 5 Most Common Mistakes

Update for CVE-2019-5740

An issue where a user could execute arbitrary PHP code on the site when the unfiltered_html capability is enabled has been fixed.

Plugin developers: update your code immediately!

The Affiliates Manager plugin before 2.9.14 has an unfiltered_html capability which is not recommended to leave enabled in production websites. The vulnerability allows an attacker to inject arbitrary HTML or JavaScript into the plugin’s settings page via a Cross-site scripting attack when the unfiltered_html capability is enabled, enabling an attacker with low privilege access to the WordPress website user interface to use that privilege to execute arbitrary code on the site.
To fix this vulnerability, you must update your plugin code as soon as possible by removing the unfiltered_html capability from your settings page, and then test your website for vulnerabilities.

Install the latest version of the Affiliate Manager plugin

If you are using the Affiliate Manager plugin, we recommend upgrading to the latest version. Read more about why this update is necessary and how it affects existing users on our blog post . To update your current version of the Affliates Manager plugin, simply install the latest version from your WordPress plugin directory .

Timeline

Published on: 09/16/2022 09:15:00 UTC
Last modified on: 09/20/2022 14:32:00 UTC

References

• https://wpscan.com/vulnerability/4385370e-cf99-4249-b2c1-90cbfa8378a4
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2799