CVE-2022-3896

Name of the Vulnerable Software and Affected Versions WP Affiliate Platform plugin for WordPress versions up to, and including, 6.3.9

Description The issue is related to Reflected Cross-Site Scripting via the $ SERVER["REQUEST URI"] variable, caused by insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages, which can execute if a user is tricked into performing an action like clicking on a link. However, this is unlikely to be effective in modern browsers.

Recommendations For versions up to, and including, 6.3.9, update to a version higher than 6.3.9 to resolve the issue. As a temporary workaround, consider restricting access to pages that use the $ SERVER["REQUEST URI"] variable until a patch is available.