While performing a security audit for a client, we happen to find a vulnerability in Affiliate Plus extension. I believe, a number of Magento store owners use this extension.
The vulnerability found was XSS, not a major one but still can be used by hackers to compromise end users/admin account too. We worked with Magestore team to fix the vulnerability and a new patched version is out. Requesting everyone using the Affiliate Plus module to please fix it.
All the details about the vulnerability can be found on our blog: https://www.getastra.com/blog/magento-module-xss-affiliate-plus-update/
Hope it helps, please be sure to upgrade!
Thanks for this man. I also have checked it on my affiliate extension at https://www.jorhna.com and we found the error now my team is working on the patch. Thanks again for putting this out here for all of us to know.
Glad I could help. We try and put out the vulnerabilities we find in extensions so that others can benefit