CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5864 – Easy Affiliate Links <= 3.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Reset
https://notcve.org/view.php?id=CVE-2024-5864
27 Jun 2024 — The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings. • https://www.wordfence.com/threat-intel/vulnerabilities/id/e8a4c656-8df8-44ce-884f-dd502d17f594?source=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34441 – WordPress Easy Affiliate Links plugin <= 3.7.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-34441
07 May 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bootstrapped Ventures Easy Affiliate Links allows Stored XSS.This issue affects Easy Affiliate Links: from n/a through 3.7.2. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Bootstrapped Ventures Easy Affiliate Links permite almacenar XSS. Este problema afecta a Easy Affiliate Links: desde n/a hasta 3.7.2. The Easy Affiliate Links... • https://patchstack.com/database/vulnerability/easy-affiliate-links/wordpress-easy-affiliate-links-plugin-3-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0375 – Easy Affiliate Links < 3.7.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0375
24 Jan 2023 — The Easy Affiliate Links WordPress plugin before 3.7.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Easy Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block settings in versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping ... • https://wpscan.com/vulnerability/915d6add-d3e2-4ced-969e-9523981ac886 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •