{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14735", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-15T18:25:04.862Z", "datePublished": "2025-12-20T03:20:21.048Z", "dateUpdated": "2026-04-08T16:35:01.404Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:01.404Z"}, "affected": [{"vendor": "nestornoe", "product": "Amazon affiliate lite Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The \"Amazon affiliate lite Plugin\" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Amazon affiliate lite Plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c23cc3c-3c76-4ba8-8fa6-6ed0507a35c9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L236"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2025-12-19T15:05:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T16:13:27.212313Z", "id": "CVE-2025-14735", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:13:55.710Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14735", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T16:13:27.212313Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:13:51.595Z"}}], "cna": {"title": "Amazon affiliate lite Plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "nestornoe", "product": "Amazon affiliate lite Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T15:05:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c23cc3c-3c76-4ba8-8fa6-6ed0507a35c9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L236"}], "descriptions": [{"lang": "en", "value": "The \"Amazon affiliate lite Plugin\" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:01.404Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14735", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:01.404Z", "dateReserved": "2025-12-15T18:25:04.862Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T03:20:21.048Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The \"Amazon affiliate lite Plugin\" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-14735", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T04:16:08.613", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L105"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L236"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c23cc3c-3c76-4ba8-8fa6-6ed0507a35c9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:02:47.768548+00:00", "value": {"mitigation_remediation": ["Upgrade the Amazon affiliate lite Plugin to the latest available version (any release after 1.0.0) to remove the stored XSS flaw.", "If a patched version is not available, disable or delete the plugin on all sites within the multi\u2011site network to eliminate the attack surface.", "Restrict administrator privileges to trusted users and consider applying role\u2011management controls to reduce the likelihood of compromised accounts."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (admin\u2011only)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the Amazon affiliate lite Plugin for WordPress version 1.0.0 and earlier. It only applies to multi\u2011site networks and to sites that have the unfiltered_html feature disabled. Administrators with full control over the network can exploit the control panel of any site within the network.", "description_and_impact": "The Amazon affiliate lite Plugin is vulnerable to stored Cross\u2011Site Scripting (CWE\u201180). An attacker who has authenticated administrator\u2011or\u2011above privileges can insert arbitrary JavaScript into the plugin\u2019s admin settings. When a susceptible page is loaded by any site visitor, the embedded script executes within that user\u2019s browser context, allowing theft of session cookies, credential hijacking, or defacement of the site. The flaw arises from insufficient input sanitization and output escaping on the administrative side. This is a moderate\u2011severity flaw, scored 4.4 on CVSS, and is not currently listed in the CISA KEV catalog.", "risk_and_exploitability": "This flaw has a CVSS base score of 4.4, indicating moderate risk, and an EPSS score of less than 1\u202f%, suggesting a very low probability of exploitation in the wild. Because the vulnerability requires authenticated administrator\u2011level access, it is not exploitable by unauthenticated users or standard site visitors. The lack of a KEVlisting further implies that public exploits are not widespread. Attackers would need to compromise an existing administrator account or gain access through social engineering to inject malicious code into the plugin\u2019s settings, after which any user who views the affected page would be exposed to the embedded script. The impact is limited to user\u2011browser\u2011level attacks rather than server compromise."}}}}, "created": "2025-12-21T21:12:29.443318+00:00", "updated": "2026-04-22T16:15:21.786629+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}