A couple of weeks ago, we were performing a security scan for a customer using Magento shop. While auditing their website our team found a critical vulnerability in Affiliate Plus module. According to Affiliate Plus’ website, 7000+ stores use the extension. This Affiliate Plus Magento module XSS vulnerability leaves a number of Magento stores vulnerable.

About Affiliate Plus Magento Module XSS

    • When logged into your store Magento as an Affiliate, go to ‘My Program Section’
    • In the ‘Program Name’ column add the following JS code:
    • Click on the ‘search’ buttonMagento Module XSS - Affiliate Plus
    • A pop-up suggesting execution of javascript code appearsMagento Module XSS Affiliate Plus
    • In addition, even SQL queries are also given out by the application exposing SQL Errors and database structureMagento Vulnerability AffiliatePlus


XSS, being one of the most widely found and exploited vulnerability does come with some critical consequences. In the case of reflected XSS, the consequences are often targeted at a particular customer. However, attacks can be performed aimed to steal admin data and more. There include:

  • Compromise of end user data/account information
  • Stealing of admin details via targeted attacks
  • Exposure to internal directory structure of the web app


Vulnerability Found by Astra Team - 05/04/201725%
Reported to AffiliatePlus Team - 05/04/201750%
Worked on the Fix - 07/04/2017 to 15/04/201775%
Updated Version Released - 16/04/2017100%

Affiliate Plus team was very quick in understanding the issue and quickly work on fixing it. They worked proactively in deploying the necessary fixes and releasing an updated version of the module with the patch. Kudos to the team!

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.