CVE-2021-25078

CVE-2021-25078: Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting

Vendor Unknown

Product Affiliates Manager

Weakness CWE-79 · XSS

Published January 24, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

Key dates

02Disclosure timeline

January 24, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-25078

Related vulnerabilities

04Related CVE

CVE-2026-28558 wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload CVE-2025-5062 WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting CVE-2023-25553 CVE-2024-54303 WordPress Simple Payment plugin <= 2.3.8 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-34802 Endian Firewall /cgi-bin/salearn.cgi remark user ham spam Stored Cross-Site Scripting