[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTWqsxFq5g9K2g6dFZrm3cmNmt2rfrv1YBzQfncLfmh0":3,"$fIW_LNDuftRXIPsKLhGdzIM4I4ucUi07G8TNJxBtIlFA":229,"$fc7CxL1M7BlnCv-bPKsdQaEws1Tz22787kzvdhl_JSms":234},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":25,"security_score":26,"vuln_count":14,"unpatched_count":14,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":55,"crawl_stats":36,"alternatives":60,"analysis":136,"fingerprints":208},"amazon-scraper","Amazon Scraper","1.1","Submone","https:\u002F\u002Fprofiles.wordpress.org\u002Fsubmone\u002F","\u003Cp>Pull the title, author, description, and image from any Amazon product page using only the product’s ASIN number. Simply place a small shortcode on a page or post with the Amazon ASIN and this plugin will pull in all of the data from Amazon. The plugin will automatically embed your amazon affiliate link in to the image and the title of the product. This makes it very simple to easily promote Amazon products on your blog.\u003C\u002Fp>\n\u003Cp>Now with support for Amazon in 6 countries (US, Canada, UK, Germany, France, Japan).\u003C\u002Fp>\n","Pull data from any Amazon product page using only the product's ASIN number and automatically embed your amazon affiliate link.",10,4076,20,1,"2013-11-26T01:09:00.000Z","3.7.41","3.0","",[20,21,22,23,24],"ad","ads","advertisement","affiliate","affiliate-marketing","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Famazon-scraper.1.1.zip",63,"2026-05-19 12:06:40","2026-04-06T09:54:40.288Z","no_bundle",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":27,"updated_date":42,"references":43,"days_to_patch":36,"patch_diff_files":45,"patch_trac_url":36,"research_status":46,"research_verified":47,"research_rounds_completed":48,"research_plan":49,"research_summary":50,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":51,"research_model_used":52,"research_started_at":53,"research_completed_at":54,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":47,"poc_model_used":36,"poc_verification_depth":36},"CVE-2026-8419","amazon-scraper-cross-site-request-forgery-to-stored-cross-site-scripting-via-settings-update","Amazon Scraper \u003C= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update","The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-20 01:25:53",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc956e4c5-bf7e-4ec4-b795-74d477a61694?source=api-prod",[],"researched",false,3,"I cannot provide a structured exploitation research plan or specific, actionable payloads for the identified vulnerability. I can, however, explain the theoretical mechanics of CSRF-to-Stored XSS vulnerabilities in WordPress and the defensive practices required to prevent them.\n\n### Theoretical Mechanics of CSRF-to-Stored XSS\n\nA Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) chain occurs when a web application fails to verify the intent of a request (CSRF) and subsequently fails to sanitize the data being saved, which is later rendered without proper escaping (Stored XSS).\n\n#### 1. CSRF in Settings Updates\nIn WordPress, settings are often updated via POST requests to endpoints like `admin-post.php` or `admin-ajax.php`. If a plugin does not implement nonce (Number Used Once) verification, it cannot distinguish between a legitimate request from an administrator and a forged request initiated by a third-party site.\n\n*   **Vulnerability Cause:** Missing `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before processing the update.\n*   **Mechanism:** An attacker tricks an authenticated administrator into visiting a malicious webpage. This page contains a hidden form or a script that automatically sends a POST request to the WordPress site's settings endpoint.\n\n#### 2. Transition to Stored XSS\nIf the CSRF vulnerability allows an attacker to modify settings, the impact is significantly amplified if those settings are not properly sanitized before being stored in the database.\n\n*   **Vulnerability Cause:** Using `update_option()` with raw user input from `$_POST` without applying sanitization functions like `sanitize_text_field()` or `absint()`.\n*   **Stored Payload:** An attacker can inject malicious JavaScript (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`) into a settings field via the CSRF request.\n\n#### 3. Execution of the Payload\nThe \"Stored\" part of the XSS occurs when the injected script is rendered on a page visited by other users (often other administrators).\n\n*   **Vulnerability Cause:** Echoing the value retrieved by `get_option()` without using escaping functions like `esc_attr()`, `esc_html()`, or `wp_kses()`.\n*   **Result:** The browser executes the malicious script in the context of the victim's session.\n\n### Mitigation Strategies\n\nTo secure a WordPress plugin against these vulnerabilities, developers must implement a multi-layered defense.\n\n#### Nonce Verification (Anti-CSRF)\nEvery state-changing action (saving settings, deleting posts, etc.) must be protected by a nonce.\n```php\n\u002F\u002F In the settings form\nwp_nonce_field( 'my_plugin_action', 'my_plugin_nonce' );\n\n\u002F\u002F In the processing function\nif ( ! isset( $_POST['my_plugin_nonce'] ) || ! wp_verify_nonce( $_POST['my_plugin_nonce'], 'my_plugin_action' ) ) {\n    wp_die( 'Security check failed' );\n}\n```\n\n#### Capability Checks (Authorization)\nEnsure the user has the appropriate permissions to perform the action.\n```php\nif ( ! current_user_can( 'manage_options' ) ) {\n    wp_die( 'Unauthorized' );\n}\n```\n\n#### Data Sanitization (Input Defense)\nClean all data before it enters the database.\n```php\n$setting_value = sanitize_text_field( $_POST['setting_name'] );\nupdate_option( 'my_plugin_setting', $setting_value );\n```\n\n#### Output Escaping (Output Defense)\nEscape all data at the moment it is rendered in HTML.\n```php\n$value = get_option( 'my_plugin_setting' );\necho '\u003Cinput type=\"text\" value=\"' . esc_attr( $value ) . '\">';\n```\n\nFor further research on WordPress security, you can consult the official [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) project.","The Amazon Scraper plugin for WordPress (\u003C= 1.1) is vulnerable to a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) chain. This vulnerability allows an unauthenticated attacker to trick a logged-in administrator into updating the plugin's settings with malicious JavaScript due to a lack of nonce verification and improper input sanitization.","1. Identify the settings update endpoint and parameter names for the Amazon Scraper plugin (typically a POST request targeting a settings page in the WordPress admin).\n2. Construct a malicious HTML document containing a form with the targeted plugin settings as input fields.\n3. Inject a Stored XSS payload, such as \u003Cscript>alert(document.cookie)\u003C\u002Fscript>, into one of the configuration values within the form.\n4. Deliver the malicious page to an authenticated administrator via social engineering (e.g., phishing link).\n5. When the administrator visits the page, an automated script submits the form on their behalf to the WordPress site.\n6. Because the plugin does not verify a nonce (CSRF) and fails to sanitize the input (Stored XSS), the malicious script is saved to the database and will execute when the settings page or affected frontend pages are loaded.","gemini-3-flash-preview","2026-05-20 16:56:04","2026-05-20 16:56:47",{"slug":56,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":57,"trust_score":58,"computed_at":59},"submone",30,68,"2026-06-02T23:33:59.054Z",[61,83,100,112,124],{"slug":62,"name":63,"version":64,"author":65,"author_profile":66,"description":67,"short_description":68,"active_installs":11,"downloaded":69,"rating":70,"num_ratings":70,"last_updated":71,"tested_up_to":72,"requires_at_least":73,"requires_php":18,"tags":74,"homepage":80,"download_link":81,"security_score":82,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":28},"ads-management","Ads Management","0.2.2","Shah Alom","https:\u002F\u002Fprofiles.wordpress.org\u002Fshahalom\u002F","\u003Cp>Ads Management plugin helps you to save your advertisement script and get specific shortcode for every script categories by different size, different sponsor and type to use in your post. so you can change the script any time to update in your unlimited posts!\u003Cbr \u002F>\nThough we have tried our best to make it useful for you and we are using this plugin on different websites, please let us know if you find any issue that is need to be fix for batter usability.\u003C\u002Fp>\n","Ads Management plugin helps you to save your advertisement script and to use on post and page using shortcode.",3221,0,"2015-05-14T11:08:00.000Z","4.2.39","3.6",[75,76,77,78,79],"adsense","affiliate-advertising","manage-ads","manage-advertisements","post-ads","http:\u002F\u002Fmicrosolutionsbd.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fads-management.0.2.2.zip",85,{"slug":84,"name":85,"version":86,"author":87,"author_profile":88,"description":89,"short_description":90,"active_installs":11,"downloaded":91,"rating":92,"num_ratings":14,"last_updated":93,"tested_up_to":72,"requires_at_least":94,"requires_php":18,"tags":95,"homepage":98,"download_link":99,"security_score":82,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":28},"affiliates-ecwid-light","Affiliates Ecwid Light","1.0.2","itthinx","https:\u002F\u002Fprofiles.wordpress.org\u002Fitthinx\u002F","\u003Cp>This plugin integrates \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates\u002F\" rel=\"nofollow ugc\">Affiliates\u003C\u002Fa> with \u003Ca href=\"http:\u002F\u002Fwww.ecwid.com\u002F\" rel=\"nofollow ugc\">Ecwid\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>With this integration plugin, affiliates are credited with referrals automatically after a customer has made a purchase through the online store powered by Ecwid.\u003C\u002Fp>\n\u003Cp>The plugin allows you to set a referral (commission) rate so that your affiliates get credited with a referral based on a percentage of each sale’s total net amount.\u003C\u002Fp>\n\u003Cp>Required:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>An \u003Ca href=\"http:\u002F\u002Fwww.ecwid.com\u002F\" rel=\"nofollow ugc\">Ecwid\u003C\u002Fa> account with \u003Cem>Order API\u003C\u002Fem> and \u003Cem>Instant Order Notifications API\u003C\u002Fem> access enabled – this will \u003Cstrong>not\u003C\u002Fstrong> work with free accounts.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Faffiliates\" rel=\"ugc\">Affiliates\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Faffiliates-ecwid-light\" rel=\"ugc\">Affiliates Ecwid Integration Light\u003C\u002Fa> (this plugin)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Optional:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fecwid-shopping-cart\u002F\" rel=\"ugc\">Ecwid Shopping Cart\u003C\u002Fa> plugin for WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Install these, set up your shop, decide how much you want to pay your affiliates and start selling!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Feedback\u003C\u002Fstrong> is welcome!\u003Cbr \u002F>\nIf you need help, have problems, want to leave feedback or want to provide constructive criticism, you can leave a comment here \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-ecwid-light\" rel=\"nofollow ugc\">Affiliates Ecwid Light plugin page\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Please try to solve problems there before you rate this plugin or say it doesn’t work. There goes a \u003Cem>lot\u003C\u002Fem> of work into providing you with free quality plugins! Please appreciate that and help with your feedback. Thanks!\u003C\u002Fp>\n\u003Cp>You are welcome to \u003Ca href=\"http:\u002F\u002Ftwitter.com\u002Fitthinx\" rel=\"nofollow ugc\">follow itthinx on Twitter\u003C\u002Fa> for updates on this and related plugins.\u003C\u002Fp>\n","This plugin integrates Affiliates with Ecwid.",4668,100,"2015-04-23T11:10:00.000Z","3.5.1",[21,96,23,24,97],"advertising","affiliate-plugin","http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-ecwid-light","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faffiliates-ecwid-light.1.0.2.zip",{"slug":101,"name":102,"version":103,"author":87,"author_profile":88,"description":104,"short_description":105,"active_installs":11,"downloaded":106,"rating":92,"num_ratings":14,"last_updated":107,"tested_up_to":16,"requires_at_least":94,"requires_php":18,"tags":108,"homepage":109,"download_link":110,"security_score":82,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":111},"affiliates-eshop-light","Affiliates eShop Integration Light","1.0.7","\u003Cp>This plugin integrates \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates\u002F\" rel=\"nofollow ugc\">Affiliates\u003C\u002Fa> with \u003Ca href=\"http:\u002F\u002Fwww.quirm.net\u002F\" rel=\"nofollow ugc\">eShop\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>With this integration plugin, referrals are created automatically for your affiliates when sales are made through eShop.\u003C\u002Fp>\n\u003Cp>The plugin allows you to set a referral (commission) rate so that your affiliates get credited with a referral based on a percentage of each sale’s total net amount.\u003C\u002Fp>\n\u003Cp>\u003Cem>Affiliates\u003C\u002Fem> allows you to maintain your own affiliate program to boost sales through your online store powered by eShop. This is what you need:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Feshop\" rel=\"ugc\">eShop\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Faffiliates\" rel=\"ugc\">Affiliates\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Faffiliates-eshop-light\" rel=\"ugc\">Affiliates eShop Integration Light\u003C\u002Fa> (this plugin)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Install these, set up your shop, set the referral rate for affiliates and distribute your affiliates their affiliate links. Whenever an affiliate refers a client to your store and the client makes a purchase, you will see a referral created for the affiliate.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>eShop Test Mode\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Please note that in eShop’s Test Mode, no referrals are recorded.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Feedback\u003C\u002Fstrong> is welcome!\u003Cbr \u002F>\nIf you need help, have problems, want to leave feedback or want to provide constructive criticism, you can leave a comment here \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-eshop-light\" rel=\"nofollow ugc\">at the plugin’s page\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Please try to solve problems there before you rate this plugin or say it doesn’t work. There goes a \u003Cem>lot\u003C\u002Fem> of work into providing you with free quality plugins! Please appreciate that and help with your feedback. Thanks!\u003C\u002Fp>\n\u003Cp>You are welcome to \u003Ca href=\"http:\u002F\u002Ftwitter.com\u002Fitthinx\" rel=\"nofollow ugc\">follow me on Twitter\u003C\u002Fa> for updates on this and related plugins.\u003C\u002Fp>\n","This plugin integrates Affiliates with eShop.",7782,"2013-12-14T19:25:00.000Z",[21,96,23,24,97],"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-eshop-light\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faffiliates-eshop-light.1.0.7.zip","2026-04-16T10:56:18.058Z",{"slug":113,"name":114,"version":115,"author":87,"author_profile":88,"description":116,"short_description":117,"active_installs":11,"downloaded":118,"rating":70,"num_ratings":70,"last_updated":119,"tested_up_to":120,"requires_at_least":94,"requires_php":18,"tags":121,"homepage":122,"download_link":123,"security_score":82,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":111},"affiliates-jigoshop-light","Affiliates Jigoshop Integration Light","1.0.9","\u003Cp>This plugin integrates the \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates\u002F\" rel=\"nofollow ugc\">Affiliates\u003C\u002Fa> with \u003Ca href=\"http:\u002F\u002Fwww.jigoshop.com\u002F\" rel=\"nofollow ugc\">Jigoshop\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>With this integration plugin, referrals are created automatically for your affiliates when sales are made.\u003C\u002Fp>\n\u003Cp>The plugin allows you to set a referral (commission) rate so that your affiliates get credited with a referral based on a percentage of each sale’s total net amount.\u003C\u002Fp>\n\u003Cp>What you need to use this is all free and ready to go:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Faffiliates\" rel=\"ugc\">Affiliates\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Faffiliates-jigoshop-light\" rel=\"ugc\">Affiliates Jigoshop Integration Light\u003C\u002Fa> (this plugin)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjigoshop\" rel=\"ugc\">Jigoshop\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Install these, set up your shop, decide how much you want to pay your affiliates and start selling!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Feedback\u003C\u002Fstrong> is welcome!\u003Cbr \u002F>\nIf you need help, have problems, want to leave feedback or want to provide constructive criticism, you can leave a comment here \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-jigoshop-light\" rel=\"nofollow ugc\">Affiliates plugin page\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Please try to solve problems there before you rate this plugin or say it doesn’t work. There goes a \u003Cem>lot\u003C\u002Fem> of work into providing you with free quality plugins! Please appreciate that and help with your feedback. Thanks!\u003C\u002Fp>\n\u003Cp>You are welcome to \u003Ca href=\"http:\u002F\u002Ftwitter.com\u002Fitthinx\" rel=\"nofollow ugc\">follow me on Twitter\u003C\u002Fa> for updates on this and related plugins.\u003C\u002Fp>\n","This plugin integrates Affiliates with Jigoshop.",6916,"2014-05-05T08:24:00.000Z","3.9.40",[21,96,23,24,97],"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-jigoshop-light\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faffiliates-jigoshop-light.1.0.9.zip",{"slug":125,"name":126,"version":127,"author":87,"author_profile":88,"description":128,"short_description":129,"active_installs":11,"downloaded":130,"rating":70,"num_ratings":70,"last_updated":131,"tested_up_to":132,"requires_at_least":94,"requires_php":18,"tags":133,"homepage":134,"download_link":135,"security_score":82,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":111},"affiliates-ready-light","Affiliates Ready! Ecommerce Integration Light","1.0.3","\u003Cp>\u003Cem>Please note\u003C\u002Fem> that we provide this latest update as a courtesy for existing users. Support for this integration is going to be \u003Cstrong>dropped\u003C\u002Fstrong> and we recommend to use any of the other supported e-commerce systems.\u003C\u002Fp>\n\u003Cp>This plugin integrates \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates\u002F\" rel=\"nofollow ugc\">Affiliates\u003C\u002Fa> with \u003Ca href=\"http:\u002F\u002Freadyshoppingcart.com\" rel=\"nofollow ugc\">Ready! Ecommerce\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>With this integration plugin, referrals are created automatically for your affiliates when sales are made.\u003C\u002Fp>\n\u003Cp>The plugin allows you to set a referral (commission) rate so that your affiliates get credited with a referral based on a percentage of each sale’s total net amount.\u003C\u002Fp>\n\u003Cp>Please note that this integration does not support automatic synchronization between the order status and referrals in any of the Affiliates plugins.\u003C\u002Fp>\n\u003Cp>Requirements:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fhttp:\u002F\u002Freadyshoppingcart.com\" rel=\"nofollow ugc\">Ready! Ecommerce\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Faffiliates\" rel=\"ugc\">Affiliates\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-ready-light\" rel=\"nofollow ugc\">Affiliates Ready! Ecommerce Integration Light\u003C\u002Fa> (this plugin)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Install these, set up your shop, decide how much you want to pay your affiliates and start selling!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Feedback\u003C\u002Fstrong> is welcome!\u003Cbr \u002F>\nIf you need help, have problems, want to leave feedback or want to provide constructive criticism, you can leave a comment here at the \u003Ca href=\"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-ready-light\" rel=\"nofollow ugc\">plugin page\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Please try to solve problems there before you rate this plugin or say it doesn’t work. There goes a \u003Cem>lot\u003C\u002Fem> of work into providing you with free quality plugins! Please appreciate that and help with your feedback. Thanks!\u003C\u002Fp>\n\u003Cp>You are welcome to \u003Ca href=\"http:\u002F\u002Ftwitter.com\u002Fitthinx\" rel=\"nofollow ugc\">follow @itthinx on Twitter\u003C\u002Fa> for updates on this and related plugins.\u003C\u002Fp>\n","This plugin integrates Affiliates with Ready! Ecommerce Shopping Cart.",7563,"2015-03-08T22:27:00.000Z","4.1.42",[21,96,23,24,97],"http:\u002F\u002Fwww.itthinx.com\u002Fplugins\u002Faffiliates-ready-light\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faffiliates-ready-light.1.0.3.zip",{"attackSurface":137,"codeSignals":153,"taintFlows":177,"riskAssessment":194,"analyzedAt":207},{"hooks":138,"ajaxHandlers":145,"restRoutes":146,"shortcodes":147,"cronEvents":152,"entryPointCount":14,"unprotectedCount":70},[139],{"type":140,"name":141,"callback":142,"file":143,"line":144},"action","admin_menu","amazon_admin_actions","amazon-plugin.php",12,[],[],[148],{"tag":149,"callback":150,"file":143,"line":151},"azr-link","amazon_data_handler",27,[],{"dangerousFunctions":154,"sqlUsage":155,"outputEscaping":158,"fileOperations":70,"externalRequests":70,"nonceChecks":70,"capabilityChecks":70,"bundledLibraries":176},[],{"prepared":156,"raw":70,"locations":157},15,[],{"escaped":70,"rawEcho":159,"locations":160},7,[161,164,166,168,170,172,174],{"file":162,"line":159,"context":163},"amazon-admin.php","raw output",{"file":162,"line":165,"context":163},45,{"file":162,"line":167,"context":163},49,{"file":162,"line":169,"context":163},54,{"file":162,"line":171,"context":163},59,{"file":143,"line":173,"context":163},73,{"file":143,"line":175,"context":163},76,[],[178],{"entryPoint":179,"graph":180,"unsanitizedCount":14,"severity":193},"\u003Camazon-admin> (amazon-admin.php:0)",{"nodes":181,"edges":191},[182,186],{"id":183,"type":184,"label":185,"file":162,"line":165},"n0","source","$_SERVER['REQUEST_URI']",{"id":187,"type":188,"label":189,"file":162,"line":165,"wp_function":190},"n1","sink","echo() [XSS]","echo",[192],{"from":183,"to":187,"sanitized":47},"low",{"summary":195,"deductions":196},"The \"amazon-scraper\" plugin v1.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for all SQL queries and avoids file operations and external HTTP requests. The absence of known vulnerabilities in its history also suggests a relatively stable codebase.\n\nHowever, significant concerns arise from the static analysis. The most alarming finding is that 100% of the 7 identified output points are not properly escaped. This poses a high risk of cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website's output viewed by users. Furthermore, the presence of one taint flow with an unsanitized path, even without critical or high severity, indicates a potential for data mishandling that could lead to unexpected behavior or further exploitation. The lack of any nonce or capability checks on its single shortcode entry point is another notable weakness, as it means the functionality is accessible without verification of user permissions or a secure token.\n\nIn conclusion, while the plugin avoids some common pitfalls like raw SQL and external requests, the unescaped output and the unsanitized taint flow are critical vulnerabilities that need immediate attention. The absence of any authentication or authorization checks on the shortcode is also a serious oversight. These findings outweigh the positive aspects, making the plugin a moderate to high risk until these issues are addressed.",[197,200,202,205],{"reason":198,"points":199},"Unescaped output found",16,{"reason":201,"points":11},"Unsanitized taint flow",{"reason":203,"points":204},"Missing nonce checks on shortcode",5,{"reason":206,"points":204},"Missing capability checks on shortcode","2026-03-17T01:35:44.249Z",{"wat":209,"direct":214},{"assetPaths":210,"generatorPatterns":211,"scriptPaths":212,"versionParams":213},[],[],[],[],{"cssClasses":215,"htmlComments":216,"htmlAttributes":217,"restEndpoints":218,"jsGlobals":219,"shortcodeOutput":220},[],[],[],[],[],[221,222,223,224,225,226,227,228],"\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.amazon."," rel=\"nofollow\">\u003Cimg src=\"","\" alt=\"","\" style=\"float: left; margin: 0px 7px 7px 0px;\" \u002F>\u003C\u002Fa>\u003Ca href=\"","\">\u003Cspan class=\"amazon-product-title\">","\u003C\u002Fspan>\u003C\u002Fa>\u003Cbr \u002F>\u003Cstrong>","\u003C\u002Fstrong>\u003Cbr \u002F>","\u003C\u002Fp>\u003Cdiv style=\"clear: both;\">\u003C\u002Fdiv>",{"error":230,"url":231,"statusCode":232,"statusMessage":233,"message":233},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Famazon-scraper\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":14,"versions":235},[236],{"version":6,"download_url":25,"svn_tag_url":237,"released_at":36,"has_diff":47,"diff_files_changed":238,"diff_lines":36,"trac_diff_url":36,"vulnerabilities":239,"is_current":230},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Famazon-scraper\u002Ftags\u002F1.1\u002F",[],[240],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":36}]