CVE-2026-15296
Summary
by MITRE • 07/10/2026
The affiliate-toolkit – WP Affiliate Plugin with Amazon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'atkp_product' shortcode in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is a bypass to CVE-2024-10227.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/10/2026
The affiliate-toolkit plugin for WordPress represents a significant security vulnerability through its stored cross-site scripting flaw in the atkp_product shortcode functionality. This vulnerability affects all versions up to and including 3.7.0, creating a persistent threat vector that allows authenticated attackers with contributor-level privileges or higher to inject malicious scripts into the plugin's output. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the shortcode implementation.
The technical nature of this vulnerability places it squarely within the CWE-79 category of Cross-Site Scripting, specifically manifesting as a stored XSS variant where malicious payloads are permanently embedded in the application's data storage rather than being reflected in response headers. The vulnerability exists because the plugin does not adequately sanitize input parameters passed to the atkp_product shortcode, allowing attackers to inject script code that gets executed whenever users access pages containing the compromised content. This represents a critical bypass of CVE-2024-10227, indicating that previous remediation efforts were insufficient or incomplete.
The operational impact of this vulnerability extends beyond simple script injection as it enables attackers to manipulate user sessions, steal cookies, perform unauthorized actions on behalf of victims, and potentially escalate privileges within the WordPress environment. Since contributors can execute this attack, it creates a particularly dangerous scenario where less privileged users with legitimate access rights can compromise the entire system. The vulnerability affects any page that processes the atkp_product shortcode, making the attack surface broad and potentially devastating to user trust and data integrity.
Security professionals should immediately implement mitigations including immediate plugin updates to versions that address this XSS vulnerability, implementing strict input validation for all shortcode parameters, and establishing robust output escaping mechanisms. Organizations must also consider network-based protections such as web application firewalls that can detect and block malicious script payloads in real-time. The ATT&CK framework categorizes this vulnerability under T1566 - Phishing and T1071.1003 - Application Layer Protocol: DNS, where the stored XSS could be used to establish a persistent foothold for further attacks. Additionally, implementing principle of least privilege access controls can help limit the potential damage from compromised contributor accounts. Regular security audits should verify that no malicious scripts have been injected into existing content and that all user-supplied data is properly validated before being processed by the plugin's shortcode functionality.