Cybersecurity Vulnerabilities

Critical Security Update: Stored XSS Vulnerability in Affiliate AI Lite WordPress Plugin (CVE-2025-11799)

November 21, 2025 - By 

Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Affiliate AI Lite plugin for WordPress. This vulnerability, tracked as CVE-2025-11799, affects all versions up to and including 1.0.1. Successful exploitation of this vulnerability could allow attackers to inject malicious JavaScript code into your WordPress site, potentially compromising user accounts and sensitive data.

Technical Details

The vulnerability exists within the affiai_img shortcode, specifically through the asin attribute. Due to insufficient input sanitization and output escaping of the asin attribute, authenticated users with contributor-level access or higher can inject arbitrary web scripts. When a user accesses a page containing the malicious shortcode, the injected script will execute in their browser. This can lead to account takeover, redirection to malicious sites, or other harmful actions.

The vulnerable code is located in includes/afx-img.php, specifically around line 53, which handles the processing of the asin attribute within the affiai_img shortcode. The lack of proper escaping allows attackers to insert arbitrary HTML and JavaScript code.

CVSS Analysis

  • CVE ID: CVE-2025-11799
  • Severity: MEDIUM
  • CVSS Score: 6.4

A CVSS score of 6.4 indicates a medium severity vulnerability. While it requires authentication (contributor role or higher), the ease of exploitation and potential impact justify its classification as a significant security risk.

Possible Impact

Exploiting this vulnerability can have serious consequences:

  • Account Takeover: Attackers could potentially steal user cookies and hijack administrator accounts.
  • Malicious Redirection: Users could be redirected to phishing sites or websites distributing malware.
  • Defacement: Attackers could deface your website, damaging your brand reputation.
  • Data Theft: Sensitive data stored on the website could be accessed and stolen.

Mitigation and Patch Steps

The most effective way to mitigate this vulnerability is to update the Affiliate AI Lite plugin to the latest version, which includes a patch addressing this issue. If an update is not available, consider temporarily disabling the plugin until a patched version is released. Here’s how to update:

  1. Log in to your WordPress dashboard.
  2. Navigate to Plugins > Installed Plugins.
  3. Locate the “Affiliate AI Lite” plugin.
  4. If an update is available, click the “Update Now” link.

If an update isn’t readily available, contact the plugin developer to inquire about a patch.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *