CVE-2025-5845

The Affiliate Reviews plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.0.6. The issue originates from insufficient input sanitization and output escaping on the ‘numColumns’ parameter, allowing malicious HTML and JavaScript to be persisted on the server [1].

Exploitation

The attack can be performed by authenticated users who have at least Contributor-level access. The attacker crafts a payload in the ‘numColumns’ parameter, which, due to the lack of proper sanitization, is stored in the WordPress database. The injected script then executes in the browsers of any user viewing the affected page, without requiring any additional interaction [1].

Impact

A successful exploit allows the attacker to inject arbitrary web scripts. This can be used to steal session cookies, deface the site, redirect users to malicious sites, or perform other client-side attacks within the context of the victim’s session. The stored nature of the XSS makes it particularly dangerous, as the payload persists until removed.

Mitigation

Users of the Affiliate Reviews plugin should upgrade to version 1.0.7 or later as soon as it becomes available. The plugin's developer has not yet released a patch as of the publication date, but the CVE indicates the version range vulnerable is all versions ≤ 1.0.6 [1]. Until a fix is applied, site administrators should review and limit Contributor-level access and manually sanitize any use of the ‘numColumns’ parameter.