{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2077", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-06T21:38:30.605Z", "datePublished": "2025-03-12T03:21:28.668Z", "dateUpdated": "2026-04-08T17:31:28.132Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:28.132Z"}, "affected": [{"vendor": "duogeek", "product": "Simple Amazon Affiliate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Simple Amazon Affiliate <= 1.0.9 - Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd48e2c-343f-4bae-9d9e-260d003ef87c?source=cve"}, {"url": "https://wordpress.org/plugins/simple-amazon-affiliate/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "siyuan shao"}], "timeline": [{"time": "2025-03-11T14:22:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T13:23:05.875992Z", "id": "CVE-2025-2077", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:24:13.588Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2077", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T13:23:05.875992Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:23:09.310Z"}}], "cna": {"title": "Simple Amazon Affiliate <= 1.0.9 - Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "siyuan shao"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "duogeek", "product": "Simple Amazon Affiliate", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-11T14:22:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd48e2c-343f-4bae-9d9e-260d003ef87c?source=cve"}, {"url": "https://wordpress.org/plugins/simple-amazon-affiliate/"}], "descriptions": [{"lang": "en", "value": "The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:28.132Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2077", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:28.132Z", "dateReserved": "2025-03-06T21:38:30.605Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-12T03:21:28.668Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:duogeek:simple_amazon_affiliate:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F019B0DD-DD69-49AC-AE05-BF407269FF15", "versionEndIncluding": "1.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Simple Amazon Affiliate para WordPress es vulnerable a Cross-Site Scripting Reflejado a trav\u00e9s del par\u00e1metro 'msg' en todas las versiones hasta la 1.0.9 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes no autenticados inyectar secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-2077", "lastModified": "2025-04-02T12:44:08.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-12T04:15:19.000", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/simple-amazon-affiliate/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd48e2c-343f-4bae-9d9e-260d003ef87c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:56:38.593658+00:00", "value": {"mitigation_remediation": ["Implement a content\u2011security\u2011policy that blocks inline scripts and restricts script sources to whitelisted origins, reducing the impact of any reflected script execution.", "Configure a WordPress firewall plugin or modify the site\u2019s functions to strip or encode the \"msg\" parameter before it is rendered, ensuring that any value passed through the URL cannot produce executable code.", "If immediate remediation is critical, disable or remove the Simple Amazon Affiliate plugin from the site until an official fix is released; alternatively, block the \"msg\" parameter altogether using web\u2011application firewall rules."], "summary": {"action": "Mitigate", "impact": "Reflected Cross\u2011Site Scripting allowing arbitrary JavaScript execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the duogeek Simple Amazon Affiliate plugin installed in any version up to 1.0.9. Sites that have not replaced the plugin with a newer release are vulnerable. No vendor\u2011specific \u201cupgrade\u201d level is officially published, so the sole mitigation at present is to remove or neutralise the msg parameter usage or disable the plugin.", "description_and_impact": "The vulnerability exists in the Simple Amazon Affiliate WordPress plugin for all releases 1.0.9 or earlier. The plugin takes the value of the HTTP \"msg\" parameter, outputs it directly into a page without any escaping or sanitization, and therefore a crafted value containing JavaScript can be reflected back to the victim\u2019s browser. An attacker who can entice a user to visit a maliciously crafted URL can cause that user\u2019s browser to run arbitrary scripts, potentially compromising the site\u2019s session cookies, defacing the page, or launching secondary attacks from the victim\u2019s session.", "risk_and_exploitability": "The CVSS score of 6.1 indicates medium severity, while the EPSS score is below 1\u202f% and the issue is not listed in CISA\u2019s KEV catalogue, reflecting a low current exploitation probability. The flaw is exploitable by an unauthenticated attacker through a user\u2011initiated, link\u2011based attack vector; any web visitor who follows a malicious link can be compromised without further privileges."}}}}, "created": "2026-04-22T02:00:05.040798+00:00", "updated": "2026-04-22T02:00:05.040810+00:00", "vendors": []}