CVE-2015-20105 in ClickBank Affiliate Ads Plugin
Summary
by MITRE • 12/02/2021
The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/08/2021
The CVE-2015-20105 vulnerability affects the ClickBank Affiliate Ads WordPress plugin version 1.20 and earlier, presenting a critical security flaw that combines cross-site request forgery and stored cross-site scripting vulnerabilities. This vulnerability arises from the plugin's failure to implement proper CSRF protection mechanisms when processing administrative settings modifications, creating a significant attack vector for malicious actors targeting WordPress administrators.
The technical flaw stems from the absence of CSRF tokens in the plugin's administrative interface forms, specifically during the settings save operations. When administrators access the plugin's configuration panel, the system fails to validate that requests originate from legitimate administrative sessions rather than crafted malicious payloads. This omission allows attackers to construct specially crafted web pages or emails containing hidden form submissions that, when visited by authenticated administrators, execute unauthorized configuration changes without their knowledge or consent.
The vulnerability's impact extends beyond simple CSRF exploitation due to the plugin's improper output escaping practices. When the affected plugin displays stored configuration values on administrative pages, it fails to properly sanitize or escape these values before rendering them in HTML contexts. This creates a stored XSS vulnerability where malicious payloads can be injected into the plugin settings and subsequently executed whenever administrators view the affected administrative pages, potentially leading to complete administrative account compromise.
This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and CWE-79, which covers Cross-Site Scripting. The combination of these weaknesses creates a particularly dangerous attack scenario where an attacker can first establish persistent malicious code execution through XSS, then leverage the CSRF component to manipulate administrative settings to further compromise the system. The ATT&CK framework categorizes this as a privilege escalation technique through web application vulnerabilities, specifically targeting the web server's administrative interface.
The operational impact of this vulnerability is severe as it enables attackers to manipulate affiliate marketing configurations, potentially redirecting affiliate commissions to malicious accounts or altering tracking parameters. Administrators may unknowingly execute malicious code that could lead to complete system compromise, data exfiltration, or establishment of persistent backdoors. The stored nature of the XSS vulnerability means that the malicious payload remains active until manually removed from the plugin settings, creating an ongoing threat vector.
Mitigation strategies include immediate plugin updates to versions that implement proper CSRF protection tokens and output escaping mechanisms. Administrators should also implement additional security measures such as regular monitoring of administrative interface changes, implementing Content Security Policy headers, and conducting regular security audits of installed plugins. The WordPress security community recommends maintaining updated plugin versions and employing security plugins that can detect and prevent CSRF attacks. Organizations should also consider network-level protections and administrative access controls to minimize the impact of such vulnerabilities.