CVE-2024-5286: 
WordPress vulnerability analysis and mitigation

The wp-affiliate-platform WordPress plugin before version 6.5.1 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-5286. The vulnerability was discovered and disclosed on July 13, 2024, affecting the banner editing functionality of the plugin. This security issue specifically impacts high-privilege users such as administrators (WPScan).

The vulnerability stems from improper sanitization and escaping of parameters in the banner editing functionality. When parameters are output back to the page, they are not properly sanitized, enabling a reflected XSS attack. The vulnerability has been assigned a CVSS v3.1 score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of high-privilege users' browsers, potentially leading to unauthorized actions or data theft when an administrator visits a specially crafted URL (WPScan).

Users are advised to update their wp-affiliate-platform WordPress plugin to version 6.5.1 or later, which contains the fix for this vulnerability (WPScan).