Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timo Affiliate Super Assistent amazonsimpleadmin allows Stored XSS.This issue affects Affiliate Super Assistent: from n/a through <= 1.10.1.
AnalysisAI
Stored cross-site scripting in the Affiliate Super Assistent WordPress plugin (slug: amazonsimpleadmin, by Timo) affects all versions from initial release through 1.10.1, letting attackers persist malicious JavaScript that runs in the browser of any user who later loads the affected page. With a scope-changed CVSS of 7.1 (AV:N/AC:L/PR:N/UI:R), the payload can be planted without authentication but only fires when a victim views the rendered content. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, consistent with CISA's SSVC rating of no observed exploitation.
Technical ContextAI
The affected component is a WordPress plugin (amazonsimpleadmin / 'Affiliate Super Assistent') used to embed and manage Amazon affiliate product listings within WordPress sites. The flaw is classified as CWE-79, Improper Neutralization of Input During Web Page Generation - the plugin accepts attacker-controllable input and reflects it into generated HTML/output without adequate output encoding or input sanitization, so injected markup is parsed as executable script rather than inert text. Because the payload is stored (persistent) rather than reflected, it is saved server-side and re-served to every subsequent visitor of the affected view. No CPE strings were supplied with this record; affected scope is defined by the EUVD/NVD version range rather than formal CPE 2.3 identifiers.
RemediationAI
No vendor-released patch identified at time of analysis - the data indicates all versions through 1.10.1 are affected with no fixed version specified, so monitor the Patchstack advisory and the plugin's WordPress.org/changelog page for a release above 1.10.1 and upgrade as soon as it is published. As compensating controls while unpatched: deploy a WordPress-aware WAF (such as Patchstack or equivalent) with virtual-patching rules for this CVE to filter XSS payloads at the injection point, accepting that generic rules may cause occasional false positives on legitimate rich content; restrict who can submit data into the plugin's input fields and review/sanitize any user-supplied affiliate or product content before it is stored; and consider tightening a Content-Security-Policy to disallow inline script execution, which limits payload effectiveness but can break themes or other plugins that rely on inline JavaScript. If the plugin is non-essential, deactivating and removing it eliminates the exposure entirely.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32206
GHSA-xpqq-823p-hvxr