Search criteria
6 vulnerabilities found for wc_affiliate by codexpert
CVE-2024-12336 (GCVE-0-2024-12336)
Vulnerability from nvd – Published: 2025-03-15 03:23 – Updated: 2025-03-17 21:28
VLAI?
Title
WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.5.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all
Summary
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'export_all_data' function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII).
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codexpert | WC Affiliate – A Complete WooCommerce Affiliate Plugin |
Affected:
* , ≤ 2.5.3
(semver)
|
Credits
Thanh Nam Tran
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T21:25:18.503653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T21:28:04.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin",
"vendor": "codexpert",
"versions": [
{
"lessThanOrEqual": "2.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanh Nam Tran"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027export_all_data\u0027 function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-15T03:23:24.688Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf0fb349-4cb8-4cf3-ae7c-5c4dcc6fd4f7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-affiliate/trunk/src/AJAX.php#L903"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-14T14:23:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin \u003c= 2.5.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12336",
"datePublished": "2025-03-15T03:23:24.688Z",
"dateReserved": "2024-12-06T23:10:48.527Z",
"dateUpdated": "2025-03-17T21:28:04.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12321 (GCVE-0-2024-12321)
Vulnerability from nvd – Published: 2025-01-27 06:00 – Updated: 2025-01-27 20:45
VLAI?
Title
WC Affiliate <= 2.3.9 - Reflected XSS
Summary
The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WC Affiliate |
Affected:
0 , ≤ 2.3.9
(semver)
|
Credits
Hassan Khan Yusufzai - Splint3r7
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12321",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T20:38:28.764697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T20:45:07.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/d4c55d30-1c15-41ee-95e0-670891d67684/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "WC Affiliate",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "2.3.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hassan Khan Yusufzai - Splint3r7"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T06:00:05.621Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d4c55d30-1c15-41ee-95e0-670891d67684/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WC Affiliate \u003c= 2.3.9 - Reflected XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-12321",
"datePublished": "2025-01-27T06:00:05.621Z",
"dateReserved": "2024-12-06T18:27:01.288Z",
"dateUpdated": "2025-01-27T20:45:07.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12334 (GCVE-0-2024-12334)
Vulnerability from nvd – Published: 2025-01-26 11:09 – Updated: 2025-01-27 14:52
VLAI?
Title
WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.4 - Reflected Cross-Site Scripting
Summary
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codexpert | WC Affiliate – A Complete WooCommerce Affiliate Plugin |
Affected:
* , ≤ 2.4
(semver)
|
Credits
Dale Mavers
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:39:56.717988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T14:52:49.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin",
"vendor": "codexpert",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dale Mavers"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-26T11:09:45.338Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efca1ee2-2038-440e-941c-22533b4d833b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3224312/wc-affiliate"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-09T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-25T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin \u003c= 2.4 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12334",
"datePublished": "2025-01-26T11:09:45.338Z",
"dateReserved": "2024-12-06T22:41:31.369Z",
"dateUpdated": "2025-01-27T14:52:49.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12336 (GCVE-0-2024-12336)
Vulnerability from cvelistv5 – Published: 2025-03-15 03:23 – Updated: 2025-03-17 21:28
VLAI?
Title
WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.5.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all
Summary
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'export_all_data' function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII).
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codexpert | WC Affiliate – A Complete WooCommerce Affiliate Plugin |
Affected:
* , ≤ 2.5.3
(semver)
|
Credits
Thanh Nam Tran
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T21:25:18.503653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T21:28:04.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin",
"vendor": "codexpert",
"versions": [
{
"lessThanOrEqual": "2.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanh Nam Tran"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027export_all_data\u0027 function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-15T03:23:24.688Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf0fb349-4cb8-4cf3-ae7c-5c4dcc6fd4f7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-affiliate/trunk/src/AJAX.php#L903"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-14T14:23:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin \u003c= 2.5.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12336",
"datePublished": "2025-03-15T03:23:24.688Z",
"dateReserved": "2024-12-06T23:10:48.527Z",
"dateUpdated": "2025-03-17T21:28:04.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12321 (GCVE-0-2024-12321)
Vulnerability from cvelistv5 – Published: 2025-01-27 06:00 – Updated: 2025-01-27 20:45
VLAI?
Title
WC Affiliate <= 2.3.9 - Reflected XSS
Summary
The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WC Affiliate |
Affected:
0 , ≤ 2.3.9
(semver)
|
Credits
Hassan Khan Yusufzai - Splint3r7
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12321",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T20:38:28.764697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T20:45:07.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/d4c55d30-1c15-41ee-95e0-670891d67684/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "WC Affiliate",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "2.3.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hassan Khan Yusufzai - Splint3r7"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T06:00:05.621Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d4c55d30-1c15-41ee-95e0-670891d67684/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WC Affiliate \u003c= 2.3.9 - Reflected XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-12321",
"datePublished": "2025-01-27T06:00:05.621Z",
"dateReserved": "2024-12-06T18:27:01.288Z",
"dateUpdated": "2025-01-27T20:45:07.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12334 (GCVE-0-2024-12334)
Vulnerability from cvelistv5 – Published: 2025-01-26 11:09 – Updated: 2025-01-27 14:52
VLAI?
Title
WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.4 - Reflected Cross-Site Scripting
Summary
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codexpert | WC Affiliate – A Complete WooCommerce Affiliate Plugin |
Affected:
* , ≤ 2.4
(semver)
|
Credits
Dale Mavers
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:39:56.717988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T14:52:49.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin",
"vendor": "codexpert",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dale Mavers"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-26T11:09:45.338Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efca1ee2-2038-440e-941c-22533b4d833b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3224312/wc-affiliate"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-09T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-25T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin \u003c= 2.4 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12334",
"datePublished": "2025-01-26T11:09:45.338Z",
"dateReserved": "2024-12-06T22:41:31.369Z",
"dateUpdated": "2025-01-27T14:52:49.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}