CVE-2022-0818

Name of the Vulnerable Software and Affected Versions WooCommerce Affiliate Plugin versions prior to 4.16.4.5

Description The issue concerns a lack of authorization and CSRF checks on a specific action handler, as well as insufficient sanitization of settings. This enables an unauthenticated attacker to inject malicious XSS payloads into the plugin's settings page.

Recommendations For versions prior to 4.16.4.5, update to version 4.16.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings page to minimize the risk of exploitation.