wp-plugin : cbi-referral-manager – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : cbi-referral-manager


Effected Version : 1.2.1 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :





Disclosure Timeline


Vendor Contacted : 2013-12-16

Plugin Status : Closed on 2014-01-11
Public Disclosure : April 25, 2014
CVE Number : CVE-2014-4517

Plugin Description :
This plugin implements a site link list in the sidebar page area. The list is sorted and filtered by the number of visitors sent from each particular link owner as well as relevance from matching keywords. The list can be limited to a number of results. Visitors can submit their site to the list and receive an
affiliate link to place in their site.

New site submissions must be approved in the admin page.

This plugin will create a set of database tables to store unique visitors IP addresses, affiliate details and
affiliate traffic details.

Version: 1.2.1 Admin network sites now has searching and next/prev pages for available sites to add.
Version: 1.2.0 Admin cleanup. Preliminary support for global affiliate network. All approved sites are added to a global site repository that is available to all referral manager plugin users to add to their site.
Version: 1.1.1 Improves the ranking sorting with post title, body and category as well as new bullets to the links displayed.
Version: 1.1.0 Links are now ranked by relevance from keywords in visible post and the amount of traffic the site brings. Aesthetic cleanup.
Version: 1.0.2 Fixes a bug in the reffered.php file so that it loads the main site if the landing page is not set.
Version: 1.0.1 Cleans up the admin tools and includes an edit link function

Leave a Reply

Your email address will not be published. Required fields are marked *