CVE-2025-14735
📋 TL;DR
The Amazon affiliate lite WordPress plugin has a stored XSS vulnerability in admin settings that allows authenticated administrators to inject malicious scripts. These scripts execute when users visit affected pages. Only WordPress multisite installations or sites with unfiltered_html disabled are vulnerable.
💻 Affected Systems
- Amazon affiliate lite WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.
Likely Case
Session hijacking, credential theft, or defacement of affected pages by malicious administrators.
If Mitigated
Limited impact due to requiring administrator privileges and specific WordPress configurations.
🎯 Exploit Status
Requires administrator-level WordPress credentials. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/
Restart Required: No
Instructions:
1. Remove the plugin entirely. 2. No official patch exists as plugin appears abandoned. 3. Consider alternative Amazon affiliate plugins.
🔧 Temporary Workarounds
Enable unfiltered_html capability
allEnable the unfiltered_html capability for administrators on single-site installations
Add to wp-config.php: define('DISALLOW_UNFILTERED_HTML', false);
Remove plugin administrator access
allRestrict plugin settings access to only trusted administrators
🧯 If You Can't Patch
- Disable or remove the Amazon affiliate lite plugin entirely
- Implement strict access controls and monitor administrator activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Amazon affiliate lite version. If version is 1.0.0 or earlier and you have multisite OR unfiltered_html disabled, you are vulnerable.Check Version:
wp plugin list --name='Amazon affiliate lite' --field=versionVerify Fix Applied:
Verify plugin is removed or disabled in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity in plugin settings
- Suspicious script tags in plugin configuration data
Network Indicators:
- Unexpected script loads from WordPress admin pages
SIEM Query:
source="wordpress" AND (event="plugin_settings_update" AND plugin="amazon-affiliate-lite")🔗 References
- https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L105
- https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L236
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0c23cc3c-3c76-4ba8-8fa6-6ed0507a35c9?source=cve
