CVE-2015-20105: 
WordPress vulnerability analysis and mitigation

The ClickBank Affiliate Ads WordPress plugin through version 1.20 contains multiple security vulnerabilities identified as CVE-2015-20105. The vulnerability was discovered by Kaustubh G. Padwad and was publicly disclosed on May 6, 2015. The affected component is the plugin's settings functionality, which lacks proper security controls (WPScan).

The vulnerability consists of two main issues: a Cross-Site Request Forgery (CSRF) vulnerability in the settings saving functionality and a Stored Cross-Site Scripting (XSS) vulnerability due to improper output escaping. The CVSS v3.1 base score is 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

The combination of CSRF and Stored XSS vulnerabilities allows attackers to inject malicious scripts into the admin page when an administrator can be tricked into visiting a crafted URL. Once exploited, the attacker can potentially hijack the admin's session cookies and perform any actions the administrator could typically do (Bugtraq).

The vulnerability has been fixed in version 1.35 of the ClickBank Affiliate Ads plugin. Users are advised to update to this version or later to protect against these security issues (WPScan).