CMS

Upgrade Affiliate Plus Magento Extension – XSS Vulnerability Found

Updated on: March 29, 2020

Upgrade Affiliate Plus Magento Extension – XSS Vulnerability Found

A couple of weeks ago, we were performing a security scan for a customer using Magento shop. While auditing their website our team found a critical vulnerability in Affiliate Plus module. According to Affiliate Plus’ website, 7000+ stores use the extension. This Affiliate Plus Magento module XSS vulnerability leaves a number of Magento stores vulnerable.

About Affiliate Plus Magento Module XSS

  • When logged into your store Magento as an Affiliate, go to ‘My Program Section’
  • In the ‘Program Name’ column add the following JS code:
<script>alert(/XSS_Vulnerability/)</script>
  • Click on the ‘search’ button
    Magento Module XSS - Affiliate Plus
  • A pop-up suggesting execution of javascript code appears
    Magento Module XSS Affiliate Plus
  • In addition, even SQL queries are also given out by the application exposing SQL Errors and database structure
    Magento Vulnerability AffiliatePlus

Consequences

XSS, being one of the most widely found and exploited vulnerability does come with some critical consequences. In the case of reflected XSS, the consequences are often targeted at a particular customer. However, attacks can be performed aimed to steal admin data and more. There include:

  • Compromise of end user data/account information
  • Stealing of admin details via targeted attacks
  • Exposure to internal directory structure of the web app

Timeline

Affiliate Plus team was very quick in understanding the issue and quickly work on fixing it. They worked proactively in deploying the necessary fixes and releasing an updated version of the module with the patch. Kudos to the team!

Was this post helpful?

Tags: , , ,

Shikhil Sharma

Shikhil Sharma is the founder & CEO of Astra Web Security. Being involved with cybersecurity for over six years now, his vision is to make cyber security a 5-minute affair. Shikhil plays on the line between security and marketing.From time to time, he shares his knowledge on core cybersecurity topics on Astra’s blog. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football.

Questions? Got something to add? Let’s Talk

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany