CVE-2015-20106: 
WordPress vulnerability analysis and mitigation

The CVE-2015-20106 vulnerability affects the ClickBank Affiliate Ads WordPress plugin through version 1.20. This security flaw was discovered by Kaustubh G. Padwad and was publicly disclosed on May 6, 2015. The vulnerability was officially assigned a CVE ID on December 1, 2021 (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically a stored XSS vulnerability (CWE-79). It has received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists because the plugin does not properly escape its settings, which can be exploited even when the unfiltered_html capability is disabled (NVD).

The vulnerability allows high-privilege users to perform Cross-Site Scripting attacks through the plugin's settings. This can potentially lead to the execution of malicious JavaScript code in users' browsers who access the affected areas of the WordPress installation (WPScan).

The vulnerability has been fixed in version 1.35 of the ClickBank Affiliate Ads plugin. Users are advised to update their installations to this version or later to mitigate the security risk (WPScan).