Skip to main content

Affiliate Super Assistent CVE-2026-42759

| EUVDEUVD-2026-32206 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-xpqq-823p-hvxr
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:33 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timo Affiliate Super Assistent amazonsimpleadmin allows Stored XSS.This issue affects Affiliate Super Assistent: from n/a through <= 1.10.1.

AnalysisAI

Stored cross-site scripting in the Affiliate Super Assistent WordPress plugin (slug: amazonsimpleadmin, by Timo) affects all versions from initial release through 1.10.1, letting attackers persist malicious JavaScript that runs in the browser of any user who later loads the affected page. With a scope-changed CVSS of 7.1 (AV:N/AC:L/PR:N/UI:R), the payload can be planted without authentication but only fires when a victim views the rendered content. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, consistent with CISA's SSVC rating of no observed exploitation.

Technical ContextAI

The affected component is a WordPress plugin (amazonsimpleadmin / 'Affiliate Super Assistent') used to embed and manage Amazon affiliate product listings within WordPress sites. The flaw is classified as CWE-79, Improper Neutralization of Input During Web Page Generation - the plugin accepts attacker-controllable input and reflects it into generated HTML/output without adequate output encoding or input sanitization, so injected markup is parsed as executable script rather than inert text. Because the payload is stored (persistent) rather than reflected, it is saved server-side and re-served to every subsequent visitor of the affected view. No CPE strings were supplied with this record; affected scope is defined by the EUVD/NVD version range rather than formal CPE 2.3 identifiers.

RemediationAI

No vendor-released patch identified at time of analysis - the data indicates all versions through 1.10.1 are affected with no fixed version specified, so monitor the Patchstack advisory and the plugin's WordPress.org/changelog page for a release above 1.10.1 and upgrade as soon as it is published. As compensating controls while unpatched: deploy a WordPress-aware WAF (such as Patchstack or equivalent) with virtual-patching rules for this CVE to filter XSS payloads at the injection point, accepting that generic rules may cause occasional false positives on legitimate rich content; restrict who can submit data into the plugin's input fields and review/sanitize any user-supplied affiliate or product content before it is stored; and consider tightening a Content-Security-Policy to disallow inline script execution, which limits payload effectiveness but can break themes or other plugins that rely on inline JavaScript. If the plugin is non-essential, deactivating and removing it eliminates the exposure entirely.

Share

CVE-2026-42759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy